This chapter describes the predefined assertion templates defined for the current release. Use the predefined assertion templates to construct your own policies or clone them to create new policies.
This chapter includes the following sections:
Note:
Oracle recommends that you do not edit the predefined assertion templates so that you will always have a known set of valid templates. You can, however, create a new assertion template from a predefined assertion template, or configure the attributes in an assertion after you have added it to a policy. For information about managing the assertion templates and adding them to policies, see "Managing Policy Assertion Templates" in Administering Mobile Security Access Server.For a detailed description of the configuration settings in the tables, see Assertion Template Settings.
For a detailed description of the configuration properties listed in the tables, see Assertion Template Configuration Properties. For details on how to edit the configuration properties, see "Editing the Configuration Properties" in Administering Oracle Mobile Security Access Server. For information about overriding policy properties, see "Configuring Policy Overrides" in Administering Oracle Mobile Security Access Server.
This section describes the predefined security assertion templates that are provided with your MSAS installation and which are listed on the Assertion Templates page in the MSAS Console.
The tables in the following sections distinguish how the MSAS security assertion templates are documented in this release:
MSAS Security Assertion Templates – summarizes new MSAS security assertion templates that are documented in this reference.
Note: Some assertion templates are marked as internal because they are not available for attachment to URLs in applications.
Security Assertion Templates Supported by MSAS – summarizes additional assertion templates that are supported by MSAS, but which are documented in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Security Assertion Templates Reserved for Future Use – summarizes the assertion templates that appear in the MSAS Console, but which are reserved for future use with MSAS.
Table 2-1 summarizes the predefined MSAS security assertion templates listed on the Assertion Templates page in the MSAS Console, and which are documented in this reference.
Table 2-1 Predefined MSAS Security Assertion Templates
| Assertion Template Name | Description |
|---|---|
|
Performs user authorization based on the policy defined in Oracle Entitlements Server (OES) and provides fine-grained authorization on any operation on a web service. |
|
|
Provides SKEK encryption and SKEK decryption. |
|
|
Used for accessing JWT user token protected resources. |
|
|
Used for accessing OAM protected resources. |
|
|
Injects an OAuth access token in the authorization header when accessing OAuth protected resources. |
|
|
Used for HTTP SPNEGO authentication for negotiating with a back-end Kerberos service. |
|
|
Internal assertion template that performs HTML form-based authentication. This assertion can be attached to web applications (URLs). |
|
|
Used for enabling Kerberos password authentication. |
|
|
Verifies if the web resource is protected via OAM, and if it is protected, then it authenticates using OAM and establishes the Subject before allowing access to the actual web resource. |
|
|
Performs OAuth2 confidential client authentication and creates OAuth and OAM tokens. This template is attached only on internal authentication endpoints. |
|
|
Performs OAuth2 mobile client authentication and creates OAuth and OAM tokens. This template is attached only on internal authentication endpoints. |
|
|
Performs NTLM (NT LAN Manager) authentication with NTLM protected applications. It requires a KINIT or PKINIT-based HTTP session token. This template can be attached to SOAP/REST services and also to web applications. |
|
|
Enables Kerberos PKI password authentication. |
|
|
Internal assertion template that issues a session token with the authenticated user ID. |
|
|
Verifies the session token including the timestamp and signature, decrypts the encrypted data and asserts the identity using the user ID from the session token. The request is rejected if the verification fails. |
|
|
Enables the Time Limited Password authentication. |
|
|
Internal assertion template that Injects a custom HTTP header with the client certificate received over two-way SSL. |
Table 2-2 summarizes additional assertion templates that are supported by MSAS. For detailed descriptions, however, see "Predefined Assertion Templates" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Table 2-2 Predefined Security Assertion Templates Supported by MSAS
| Assertion Template | Description |
|---|---|
|
oracle/http_jwt_token_client_template |
Includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declarative through the policy. A policy created using this template can be attached to any HTTP-based client. You can specify the audience restriction condition using the configuration override property. |
|
oracle/http_jwt_token_over_ssl_client_template |
Includes a JWT token in the HTTP header. The JWT token is created automatically. The issuer name and subject name are provided either programmatically or declarative through the policy. A policy created using this template can be attached to any HTTP-based client. You can specify the audience restriction condition using the configuration override property. |
|
oracle/http_jwt_token_service_template |
Authenticates users using the credentials provided in the JWT token in the HTTP header. |
|
oracle/http_jwt_token_over_ssl_service_template |
Authenticates users using the username provided in the JWT token in the HTTP header. |
|
oracle/http_saml20_token_bearer_client_template |
Includes SAML 2.0 tokens in outbound SOAP request messages. The SAML token with confirmation method Bearer is created automatically. |
|
oracle/http_saml20_token_bearer_service_template |
Authenticates users using credentials provided in SAML tokens with confirmation method Bearer in the WS-Security SOAP header. |
|
oracle/wss_http_token_client_template |
Includes username and password credentials in the HTTP header. You can control whether one-way or two-way authentication is required. |
|
oracle/wss_http_token_over_ssl_client_template |
Includes credentials in the HTTP header for outbound client requests and authenticates users against the Oracle Platform Security Services identity store. |
|
oracle/wss_http_token_service_template |
Uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store. You can control whether one-way or two-way authentication is required. |
|
oracle/wss_http_token_over_ssl_service_template |
Extracts the credentials in the HTTP header and authenticates users against the Oracle Platform Security Services identity store. |
Table 2-3 summarizes the predefined MSAS security assertion templates that are listed in the Assertion Templates page, but which are reserved for future use.
Table 2-3 Predefined Security Assertion Templates Reserved for Future Use
| Assertion Template Name | Description |
|---|---|
|
oracle/binding_authorization_template |
Reserved for future use. |
|
oracle/binding_oes_masking_template |
Reserved for future use. |
|
oracle/binding_permission_authorization_template |
Reserved for future use. |
|
oracle/component_authorization_template |
Reserved for future use. |
|
oracle/component_oes_authorization_template |
Reserved for future use. |
|
oracle/component_permission_authorization_template |
Reserved for future use. |
|
oracle/http_oam_token_service_template |
Reserved for future use. |
|
oracle/http_oauth2_token_client_template |
Reserved for future use. |
|
oracle/http_oauth2_token_over_ssl_client_template |
Reserved for future use. |
|
oracle/http_spnego_token_client_template |
Reserved for future use. |
|
oracle/http_spnego_token_service_template |
Reserved for future use. |
|
oracle/oauth2_config_client_template |
Reserved for future use. |
|
oracle/pii_security_template |
Reserved for future use. |
|
Reserved for future use. |
|
|
oracle/sts_trust_config_client_template |
Reserved for future use. |
|
oracle/sts_trust_config_service_template |
Reserved for future use. |
|
oracle/wss10_message_protection_client_template |
Reserved for future use. |
|
oracle/wss10_message_protection_client_template |
Reserved for future use. |
|
oracle/wss10_saml20_token_client_template |
Reserved for future use. |
|
oracle/wss10_saml20_token_service_template |
Reserved for future use. |
|
oracle/wss10_saml20_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss10_saml20_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss10_saml_hok_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss10_saml_hok_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss10_saml_token_client_template |
Reserved for future use. |
|
oracle/wss10_saml_token_service_template |
Reserved for future use. |
|
oracle/wss10_saml_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss10_saml_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss10_username_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss10_username_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss10_x509_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss10_x509_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss11_kerberos_token_client_template |
Reserved for future use. |
|
oracle/wss11_kerberos_token_service_template |
Reserved for future use. |
|
oracle/wss11_kerberos_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_kerberos_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss11_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_saml20_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_saml20_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss11_saml_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_saml_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_sts_issued_saml_hok_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss11_sts_issued_saml_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_username_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_username_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss11_x509_token_with_message_protection_client_template |
Reserved for future use. |
|
oracle/wss11_x509_token_with_message_protection_service_template |
Reserved for future use. |
|
oracle/wss_saml20_token_bearer_over_ssl_client_template |
Reserved for future use. |
|
oracle/wss_saml20_token_bearer_over_ssl_service_template |
Reserved for future use. |
|
oracle/wss_saml20_token_over_ssl_client_tpolicy |
Reserved for future use. |
|
oracle/wss_saml20_token_over_ssl_service_template |
Reserved for future use. |
|
oracle/wss_saml_token_bearer_client_template |
Reserved for future use. |
|
oracle/wss_saml_token_bearer_over_ssl_client_template |
Reserved for future use. |
|
oracle/wss_saml_token_bearer_over_ssl_service_template |
Reserved for future use. |
|
oracle/wss_saml_token_bearer_service_template |
Reserved for future use. |
|
oracle/wss_saml_token_over_ssl_client_template |
Reserved for future use. |
|
oracle/wss_saml_token_over_ssl_service_template |
Reserved for future use. |
|
oracle/wss_sts_issued_saml_bearer_token_over_ssl_client_template |
Reserved for future use. |
|
oracle/wss_sts_issued_saml_bearer_token_over_ssl_service_template |
Reserved for future use. |
|
oracle/wss_username_token_client_template |
Reserved for future use. |
|
oracle/wss_username_token_over_ssl_client_template |
Reserved for future use. |
|
oracle/wss_username_token_over_ssl_service_template |
Reserved for future use. |
|
oracle/wss_username_token_service_template |
Reserved for future use. |
|
Reserved for future use. |
|
|
Reserved for future use. |
Display Name: Binding OES Authorization Template
Category: Security
Type: oes-authorization
The binding_oes_authorization_template assertion template performs user authorization based on the policy defined in Oracle Entitlements Server (OES) and provides fine-grained authorization on any operation on a web service. Authorization is based on attributes, current authenticated subject, and web service actions invoked by the client. This policy should follow an authentication policy where the subject is established, and can be attached to any SOAP-based or REST-based endpoint.
Table 2-4 lists the settings for the binding_oes_authorization_template assertion template.
Table 2-4 binding_oes_authorization_template Settings
| Name | Default Value |
|---|---|
|
OES Based Authorization |
|
|
|
|
|
|
Table 2-5 lists the default configuration properties and the default settings for the binding_oes_authorization_template assertion template.
Display Name: HTTP Action Security Over SSL Template
Category: Security / Message Protection
Type: http-action-security
The http_action_over_ssl_template assertion template provides SKEK encryption and SKEK decryption.
Table 2-6 lists the settings for the http_action_over_ssl_template assertion template.
Table 2-6 http_action_over_ssl_template Settings
| Name | Default Value |
|---|---|
|
Authentication Token |
|
|
|
|
|
Action Token |
|
|
|
|
|
Transport Layer Security |
|
|
Disabled |
|
|
Disabled |
|
|
Disabled |
Table 2-7 lists the default configuration properties and the default settings for the http_action_over_ssl_template assertion template.
Display Name: HTTP BMAX JWT User Token Client Template
Category: Security
Type: http-jwt-user-token-security
The http_bmax_jwt_user_token_client_template assertion template is used for accessing JWT user token protected resources.
This assertion template does not have settings.
Table 2-8 lists the default configuration properties and the default settings for the http_bmax_jwt_user_token_client_template assertion template.
Display Name: HTTP BMAX OAM Token Client Template
Category: Security
Type: http-oam-token-security
The http_bmax_oam_client_template assertion template is used for accessing OAM protected resources.
This assertion template does not have settings.
Table 2-9 lists the default configuration properties and the default settings for the http_bmax_oam_client_template assertion template.
Display Name: HTTP BMAX OAUTH Client Template
Category: Security
Type: http-oauth-token-security
The http_bmax_oauth_client_template assertion injects an OAuth access token in the authorization header when accessing OAuth protected resources.
This assertion template does not have settings.
Table 2-10 lists the default configuration properties and the default settings for the http_bmax_oauth_client_template assertion template.
Display Name: HTTP BMAX Spnego Client Template
Category: Security
Type: http-spnego-security
The http_bmax_spnego_client_template assertion template is used for HTTP SPNEGO authentication for negotiating with a back-end Kerberos service.
This assertion template does not have settings.
Table 2-11 lists the default configuration properties and the default settings for the http_bmax_spnego_client_template assertion template.
Display Name: HTTP Form Based Authentication Service Assertion Template
Category: Security
Type: form-based-auth
The internal http_form_based_auth_over_ssl_service_template assertion template performs HTML form based authentication. This assertion can be attached to web applications (URLs).
Table 2-14 lists the settings for the http_form_based_auth_over_ssl_service_template assertion template.
Table 2-12 http_form_based_auth_over_ssl_service_template Settings
| Name | Default Value |
|---|---|
|
Transport Layer Security |
|
|
Enabled |
|
|
Disabled |
|
|
Disabled |
Table 2-15 lists the default configuration properties and the default settings for the http_form_based_auth_over_ssl_service_template assertion template.
Display Name: HTTP Kerberos Authentication Service Assertion Template
Category: Security
Type: http-kinit-security
The http_kinit_over_ssl_template assertion template is used for enabling Kerberos password authentication.
Table 2-14 lists the settings for the http_kinit_over_ssl_template assertion template.
Table 2-14 http_kinit_over_ssl_template Settings
| Name | Default Value |
|---|---|
|
Authentication Token |
|
|
|
|
|
Transport Layer Security |
|
|
Disabled |
|
|
Disabled |
|
|
Disabled |
Table 2-15 lists the default configuration properties and the default settings for the http_kinit_over_ssl_template assertion template.
Display Name: HTTP NTLM Authentication Client Template
Category: Security
Type: http-ntlm-security
The http_ntlm_token_client_template assertion template performs NTLM (NT LAN Manager) authentication with NTLM protected applications. It requires a KINIT or PKINIT-based HTTP session token. This template can be attached to SOAP/REST services and also to web applications.
This assertion template does not have settings.
Table 2-16 lists the default configuration properties and the default settings for the http_ntlm_token_client_template assertion template.
Display Name: HTTP OAM Access Service Assertion Template
Category: Security
Type: http-oam-authentication-security
The http_oam_authentication_service_template assertion template verifies if the web resource is protected via OAM, and if it is protected, then it authenticates using OAM and establishes the Subject before allowing access to the actual web resource.
Table 2-17 lists the settings for the http_oam_authenication_service_template assertion template.
Table 2-17 http_oam_authentication_service_template Settings
| Name | Default Value |
|---|---|
|
Authentication Header |
|
|
|
Table 2-18 lists the default configuration properties and the default settings for the http_oam_authentication_service_template assertion template.
Display Name: HTTP OAth2 Confidential Client Over SSL Template
Category: Security
Type: http-oauth2-confidential-client-security
The http_oauth2_confidential_client_over_ssl_template assertion template performs OAuth2 confidential client authentication and creates OAuth and OAM tokens. This template is attached only on internal authentication endpoints.
Table 2-19 lists the settings for the http_oauth2_mobile_client_over_ssl_template assertion template.
Table 2-19 http_oauth2_confidential_client_over_ssl_template Settings
| Name | Default Value |
|---|---|
|
Authentication Token |
|
|
|
|
|
Transport Layer Security |
|
|
Disabled |
|
|
Disabled |
|
|
Disabled |
Table 2-20 lists the default configuration properties and the default settings for the http_oauth2_confidential_client_over_ssl_template assertion template.
Display Name: HTTP OAMMS Mobile Client Token Over SSL Service Template
Category: Security
Type: http-oauth2-mobile-client-security
The http_oauth2_mobile_client_over_ssl_template assertion template performs OAuth2 mobile client authentication and creates OAuth and OAM tokens. This template is attached only on internal authentication endpoints.
Table 2-21 lists the settings for the http_oauth2_mobile_client_over_ssl_template assertion template.
Table 2-21 http_oauth2_mobile_client_over_ssl_template Settings
| Name | Default Value |
|---|---|
|
Authentication Token |
|
|
|
|
|
Transport Layer Security |
|
|
Disabled |
|
|
Disabled |
|
|
Disabled |
Table 2-22 lists the default configuration properties and the default settings for the http_oauth2_mobile_client_over_ssl_template assertion template.
Display Name: HTTP Kerberos PKI Authentication Service Assertion Template
Category: Security
Type: http-pkinit-security
The http_pkinit_over_ssl_template assertion template enables Kerberos PKI password authentication.
Table 2-23 lists the settings for the http_pkinit_over_ssl_template assertion template.
Table 2-23 http_pkinit_over_ssl_template Settings
| Name | Default Value |
|---|---|
|
Authentication Token |
|
|
|
|
|
Transport Layer Security |
|
|
Disabled |
|
|
Disabled |
|
|
Disabled |
Table 2-24 lists the default configuration properties and the default settings for the http_pkinit_over_ssl_template assertion template.
Display Name: HTTP Session Token Issuance Template
Category: Security
Type: http-stoken-issue
The http_session_token_issue_template assertion template issues a session token with the authenticated user ID.
Table 2-25 lists the settings for the http_session_token_issue_template assertion template.
Table 2-26 lists the default configuration properties and the default settings for the http_session_token_issue_template assertion template.
Display Name: HTTP Session Token Verification Template
Category: Security
Type: http-stoken-verify
The http_session_token_verify_template assertion template verifies the session token including the timestamp and signature, decrypts the encrypted data and asserts the identity using the userID from the session token. The request is rejected if the verification fails.
Table 2-27 lists the settings for the http_session_token_verify_template assertion template.
Table 2-28 lists the default configuration properties and the default settings for the http_session_token_verify_template assertion template.
Table 2-28 http_session_token_verify_template Configuration Properties
| Name | Default Value | Type |
|---|---|---|
|
None |
Optional |
|
|
None |
Optional |
|
|
None |
Optional |
|
|
Note: For authorization policy scenarios, this property must be set to |
false |
Required |
Display Name: HTTP TLP Authentication Service Assertion Template
Category: Security
Type: http-tlp-security
The http_tlp_over_ssl_template assertion template enables the Time Limited Password authentication.
Table 2-29 lists the settings for the http_tlp_over_ssl_template assertion template.
Table 2-29 http_tlp_over_ssl_template Settings
| Name | Default Value |
|---|---|
|
Authentication Token |
|
|
|
|
|
Transport Layer Security |
|
|
Disabled |
|
|
Disabled |
|
|
Disabled |
Table 2-30 lists the default configuration properties and the default settings for the http_tlp_over_ssl_template assertion template.
Display Name: Inject Header Template
Category: Security
Type: inject-header
The inject_header_template assertion template injects a custom HTTP header with the client certificate received over two-way SSL.
This assertion template does not have settings.
Table 2-31 lists the default configuration properties and the default settings for the inject_header_template assertion template.
Display Name: XPath Based Token Authentication Assertion Template
Category: Security
Type: xpath-token-auth
Note:
This assertion template is reserved for future use.The xpath_token_auth_service_template assertion template provides XPath based token authentication service.
Table 2-32 lists the settings for the xpath_token_auth_service_template assertion template.
Table 2-32 xpath_token_auth_service_template Settings
| Name | Default Value |
|---|---|
|
Authentication Header |
|
|
jwt |
|
|
Enabled |
|
|
|
|
|
Disabled |
|
|
Token Location XPath |
|
Table 2-33 lists the default configuration properties and the default settings for the xpath_token_auth_service_template assertion template.
Display Name: XPath Based Username/Password Authentication Assertion Template
Category: Security
Type: xpath-username-auth
Note:
This assertion template is reserved for future use.The xpath_username_auth_service_template assertion template provides XPath based username/password authentication service.
Table 2-34 lists the settings for the xpath_token_username_service_template assertion template.
Table 2-34 xpath_username_auth_service_template Settings
| Name | Default Value |
|---|---|
|
XPath to Username |
|
|
None |
|
|
None |
|
|
XPath to Password |
|
|
None |
|
|
None |
Table 2-35 lists the default configuration properties and the default settings for the xpath_username_auth_service_template assertion template.
This section describes the predefined management assertion templates defined for the current release.
Table 2-36 summarizes the management assertion templates.
Table 2-36 Management Assertion Templates
| Name | Description |
|---|---|
|
Provides a logging assertion template that can be attached to any binding or component. |
Display Name: Security Log Assertion Template
Category: Security
Type: Logging
Note:
This assertion template is reserved for future use.The security_log_template assertion template provides a logging assertion template that can be attached to any binding or component.
Table 2-37 lists the settings for the security_log_template assertion template.
Table 2-38 lists the configuration properties and the default settings for the security_log_template assertion template.