Understanding WS-Security
By implementing the Web Service Security (WS-Security) standard, PeopleSoft provides the ability to leverage emerging XML security technologies to address web services security requirements. WS-Security provides:
A way for applications to construct secure SOAP message exchanges.
A general-purpose mechanism for associating security tokens with SOAP messages.
XML message integrity and confidentiality.
By providing WS-Security capabilities, you can leverage the standard set of SOAP extensions, which you use when building secure web services, to implement message content integrity and confidentiality. WS-Security provides a way to insert and convey security tokens in SOAP messages. The ability to leverage WS-Security standards provides for better interoperability and improved usability. The solutions being provided through the PeopleSoft WS-Security implementation include:
SOAP message integrity.
Ensuring that messages have not been tampered with.
SOAP message confidentiality.
Guaranteeing that messages are protected against eavesdroppers.
The WS-Security Username Token Profile defines a standard way to associate user ID and password information in the SOAP messaging for web services interoperability.
The Security Assertion MarkUp Language (SAML) token
uses assertions to define a standard way to associate common information such as
issuer ID, NotBefore and
NotOnOrAfter
conditions, assertion ID, subject, and so on.
The OASIS WS-Security specification is the open standard for web services security. Its goal is to let applications secure SOAP message exchanges by providing encryption, integrity, and authentication support. It provides authentication support for SOAP messaging. WS-Security offers these general-purpose mechanisms for associating security tokens with message content:
Username token.
SAML token.
This figure shows how WS-Security inserts and conveys security tokens in SOAP messages.
Reviewing Username Token Security
With Username Token support, a consumer can supply a UsernameToken as a means of identifying the requester by user name, and optionally using a password to authenticate that identity to the web service provider.
This is an XML example of a username token with password:
Note: The password is in clear text.
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>QEDMO</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>This is an XML example of a username token with digital signature:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#id-18871350">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>Do+wViC4mSHBWYmRMWKaRDF8xmU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-11549664">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>4NVgNpjX16B4+Wrmw+7bnGfeJSs=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
QFXQuStu8sLAvsDIgNaZHuVWBIes9GpgY6fGb9KLP209hzNi+cPp3NahsF1mVxcXzCjrui2Vc3vq
wLtYA9kaFsM7EMY8TdJC9cmiepr07pR2iXXMmDYYp01dOQkz+3SeBg9F2qPOBAg/jTrWgppys2rS
ES9pV6OIKRk0try8BcU=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1049443">
<wsse:SecurityTokenReference wsu:Id="STRId-14721926" xmlns:wsu="http://docs.
oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:X509Data><ds:X509IssuerSerial>
<ds:X509IssuerName>CN=PeopleTools TEST root CA,DC=peoplesoft,DC=com,OU=
PeopleToolsDevelopment,O=PeopleSoft Inc,L=Pleasanton,ST=CA,C=US</ds:X509IssuerName>
<ds:X509SerialNumber>566474176348341487536757</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken wsu:Id="id-11549664" xmlns:wsu="http://docs.oasis-open.
org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:Username>
QEDMO</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004
/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">QEDMO</wsse:
Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
<soapenv:Body wsu:Id="id-18871350" xmlns:wsu="http://docs.oasis-open.org/wss
/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ns1:testMethod xmlns:
ns1="http://axis/service/security/test9/LogTestService9"/></soapenv:Body>
</soapenv:Envelope>Reviewing SAML Token Security
A SAML token makes statements about a principal. All SAML tokens include the following common information:
Issuer ID
Issuance timestamp
NotBefore or NotOnOrAfter conditions
Subject
Name
Subject confirmation
Conditions under which the assertion is valid
Note: PeopleSoft applications support SAML 1.1.
This is an XML example of a SAML token:
<Assertion AssertionID="d9aeaa4c1126df5ee0c6df64fdf961b1" IssueInstant=
"2008-05-14T18:18:47.246Z" Issuer=".example.com" MajorVersion="1"
MinorVersion="1"xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml=
"urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:
SAML:1.0:protocol">
<Conditions NotBefore="2008-05-14T18:18:47.184Z" NotOnOrAfter="2008-05-
14T18:28:47.184Z"/>
<AuthenticationStatement AuthenticationInstant="2008-05-14T18:18:47.
215Z"AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<Subject>
<NameIdentifier NameQualifier=".example.com">QEDMO</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-
vouches</ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</Assertion>
This is an XML example of a SAML token with digital signature:
- <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
- <soapenv:Header>
- <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.
org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
- <Assertion AssertionID="ede14876b3389b653824f0456e07676d" IssueInstant="
2008-05-13T22:54:17.417Z" Issuer=".example.com" MajorVersion="1" MinorVersion
="1"xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:
SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<Conditions NotBefore="2008-05-13T22:54:17.386Z" NotOnOrAfter="2008-05-
13T23:04:17.386Z" />
- <AuthenticationStatement AuthenticationInstant="2008-05-13T22:54:17.
401Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
- <Subject>
<NameIdentifier NameQualifier=".example.com">QEDMO</NameIdentifier>
- <SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</
ConfirmationMethod>
</SubjectConfirmation>
</Subject>
</AuthenticationStatement>
</Assertion>
- <wsse:SecurityTokenReference wsu:Id="STRSAMLId-11733267" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
utility-1.0.xsd">
<wsse:Reference URI="#ede14876b3389b653824f0456e07676d" ValueType="http:
//docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-
1.0#SAMLAssertion-1.1" />
</wsse:SecurityTokenReference>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/
2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-28365241" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIElzCCBACgAwIBAgIKQrSKyQAAAAAL+DANBgkqhkiG9w0BAQUFADCBvjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpQbGVhc2FudG9uMRcwFQYDVQQKEw5QZW9wbGVTb2Z0IEluYzEgMB4GA1UECxMXUGVvcGxlVG9vbHMgRGV2ZWxvcG1lbnQxEzARBgoJkiaJk/IsZAEZFgNjb20xGjAYBgoJkiaJk/IsZAEZFgpwZW9wbGVzb2Z0MSEwHwYDVQQDExhQZW9wbGVUb29scyBURVNUIHJvb3QgQ0EwHhcNMDcwODE2MTc1MDIzWhcNMDgwODE2MTgwMDIzWjBxMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKUGxlYXNhbnRvbjEPMA0GA1UEChMGT3JhY2xlMRQwEgYDVQQLEwtQZW9wbGVUb29sczERMA8GA1UEAwwIcWVfaWJ0Z3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMrvvgIBLkotkSm+tnbxjyNQlTi3h3p8h44WhIJ1Ikdvhgtwk890doxdF1HkDaX0Zz7/9IcW4wc5l3z/C/r0kchcq95ToRxKZ5UC50Sx2wbT9/GL6GVUP/EBtGqcaZSeE4G9OHiVmeXxe7opb3InyyAxU/dbuLj/bMpOvABgbmdhAgMBAAGjggHmMIIB4jAdBgNVHQ4EFgQUZ1KpPrdYQY+mEdNk/YWKe4Iqn+wwHwYDVR0jBBgwFoAU/jeXdgwdjCBwIIOg3c+t5n06BswwgawGA1UdHwSBpDCBoTCBnqCBm6CBmIZMaHR0cDovL3B0bnRhczEyLnBlb3BsZXNvZnQuY29tL0NlcnRFbnJvbGwvUGVvcGxlVG9vbHMlMjBURVNUJTIwcm9vdCUyMENBLmNybIZIZmlsZTovL1xccHRudGFzMTIucGVvcGxlc29mdC5jb21cQ2VydEVucm9sbFxQZW9wbGVUb29scyBURVNUIHJvb3QgQ0EuY3JsMIHwBggrBgEFBQcBAQSB4zCB4DBwBggrBgEFBQcwAoZkaHR0cDovL3B0bnRhczEyLnBlb3BsZXNvZnQuY29tL0NlcnRFbnJvbGwvcHRudGFzMTIucGVvcGxlc29mdC5jb21fUGVvcGxlVG9vbHMlMjBURVNUJTIwcm9vdCUyMENBLmNydDBsBggrBgEFBQcwAoZgZmlsZTovL1xccHRudGFzMTIucGVvcGxlc29mdC5jb21cQ2VydEVucm9sbFxwdG50YXMxMi5wZW9wbGVzb2Z0LmNvbV9QZW9wbGVUb29scyBURVNUIHJvb3QgQ0EuY3J0MA0GCSqGSIb3DQEBBQUAA4GBABaZwo6xhKZFRbESi3ICewrBTKFjtDbmJvVqBaB0pConBMRGDJ0bQf9Rwo6/Ucm/BoUEEP/dzBkLYM0NEuEqoQvF4ZHRD73qwNV9CCUHU3nlwfnL5K54qrda4V2CoBvgpHEU7EVdt47YV2E8HUAUfyDaXZ0prRMB6I2KtKaaYBNI</wsse:BinarySecurityToken>
- <ds:Signature Id="Signature-22949069" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
- <ds:Reference URI="#STRSAMLId-11733267">
- <ds:Transforms>
- <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
- <wsse:TransformationParameters>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>TK2a7xf+ldF9MkI1XYut8g5RG+A=</ds:DigestValue>
</ds:Reference>
- <ds:Reference URI="#id-78219">
- <ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>wTVh0pHi6NrTKDWnyXbX/WNCw68=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LGWmXxak++duS8IfY+/4BphfPJW+Ka6a8DxUfYmUGUZ57d1HOmTs0fLR0RoqdIOKJtSD33qRyU6p 7lufZXsRoiJD5iEUJr+El7KgBEmFPFV5hDx2a+dnHN8Zd9A1DRh7qzr1ewKcRpdBDdoS2mJnqjcz mlLOU6aPQqKAjgRtZtg=</ds:SignatureValue>
- <ds:KeyInfo Id="KeyId-15595312">
- <wsse:SecurityTokenReference wsu:Id="STRId-24840600" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Reference URI="#CertId-28365241" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
- <soapenv:Body wsu:Id="id-78219" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ns1:testMethod xmlns:ns1="http://axis/service/security/test9/LogTestService9" />
</soapenv:Body>
</soapenv:Envelope>Note these points about PeopleSoft SAML assertions:
The PeopleSoft SAML token is concerned with the authentication statement only.
The PeopleSoft SAML token supports SAML with digital signature and encryption. SAML tokens without digital signatures are not supported.
The PeopleSoft SAML profile of WSS: SOAP Message Security requires that systems support sender-voucher methods of subject confirmation.
The SAML Assertion validity or condition by default is set to 10 minutes. However, you can override the default time by adding
org.apache.ws.security.saml.AssertValidMins=15in the wssSAML.properties file, which is located in the \\WEB-INF\classes\wssSAML.properties directory.