C Schema Reference for Predefined Assertions for Oracle Web Services
The following figure describes the element hierarchy of the assertions in the WS-Policy file.
Figure C-1 Element Hierarchy of an Assertion
Description of "Figure C-1 Element Hierarchy of an Assertion"
This section describes the elements and subelements for the following assertions:
C.1 wsp:Policy Element
This element groups nested policy assertions.
C.1.1 WS-Policy Attributes
The following table summarizes the WS-Policy attributes, including the Oracle extensions.
Table C-1 Oracle Extensions to WS-Policy Attributes
Attribute | Description |
---|---|
Name |
Name of the policy. |
attachTo |
Policy subjects to which the policy can be attached. Valid values include:binding.client, binding.server, binding.any. |
category |
Category of the policy. Valid values include: security, mtom, wsrm, addressing, and management. |
description |
Description of the policy. |
displayName |
Name displayed in the user interface. |
localOptimization |
Flag that specifies whether local optimization is enabled. OWSM supports a SOA local optimization feature for composite-to-composite invocations in which the reference of one composite specifies a web service binding to a second composite. Valid values include:
|
status |
Status of the policy reference. Valid values include: enabled and disabled. |
smartDigest |
Smart Digest. |
oraSmartDigest |
Smart Digest. |
readOnly |
Indicates whether clients should be prevented from modifying this policy. |
subjectCount |
Number of subjects to which the policy is attached currently. |
versionCreator |
Author of the current version. |
versionNumber |
Number of the current version. |
versionTime |
Time the current version was creatd. |
id |
Policy ID. |
C.1.2 Example of WS-Policy
This example shows the code snippet for WS-Policy:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy" xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Name="oracle/wss11_x509_token_with_message_protection_client_policy" orawsp:attachTo="binding.client" orawsp:category="security" orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescription Bundle_oracle/wss11_x509_token_with_message_protection_client_policy_PolyDescKey" orawsp:displayName="i18n:oracle.wsm.resources.policydescription.PolicyDescription Bundle_oracle/wss11_x509_token_with_message_protection_client_policy_PolyDispNameKey" orawsp:local-optimization="check-identity" orawsp:oraSmartDigest="935231872" orawsp:readOnly="true" orawsp:smartDigest="201244603" orawsp:status="enabled" orawsp:versionCreator="mdsInternal" orawsp:versionNumber="1" orawsp:versionTime="1238006529607" wsu:Id="wss11_x509_token_with_message_protection_client_policy"> ... </wsp:Policy>
C.2 wsp:ExactlyOne Element
This is an optional element that defines an OR group.
For more information about OR groups, see "Defining Multiple Policy Alternatives (OR Groups)" in About Defining Multiple Policy Alternatives (OR Groups).
C.2.1 wsp:ExactlyOne Element Attribute
The following table summarizes the <wsp:ExactlyOne> element attribute.
Table C-2 Attribute of <wsp:ExactlyOne> Element
Attribute | Description |
---|---|
Name |
Set to OR to indicate that this is an OR group. |
C.2.2 Example of wsp:ExactlyOne Element
This example shows the code snippet for wsp:ExactlyOne element:
<wsp:ExactlyOne orawsp:name="Or"> <orasp:wss11-saml-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/msg-protection, security/authentication" orawsp:name="WS-Security 1.1 Saml with certificates"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="true" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="true" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> ... <orasp:wss11-username-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 username with certificates"> <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="true" orasp:sign-key-ref-mech="thumbprint"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="true" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> ... </wsp:ExactlyOne>
C.3 orasp:Assertion Element
orasp:Assertion element is the main element of the assertion.
Valid assertion elements include:
C.3.1 orasp:Assertion Element Attributes
The following table summarizes the <orasp:Assertion> element attributes.
Table C-3 Attributes of <orasp:Assertion> Element
Attribute | Description |
---|---|
Optional |
Flag that specifies whether the assertion is optional or required. |
Silent |
Flag that specifies whether the assertion is advertised. If set to true, the assertion is not advertised. |
Enforced |
Flag that specifies whether the assertion is currently enabled. Valid values are true or false. |
name |
Name of the assertion. |
description |
Description of the assertion. |
category |
Category to which the assertion applies. Valid values include: security/authentication, security/msg-protection, security/authorization, security/logging, mtom, wsrm, addressing, and management. |
C.3.2 Example of orasp:Assertion Element
This example shows the code snippet for orasp:Assertion element:
<orasp:wss11-mutual-auth-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 Mutual Auth with certificates"> ... </orasp:wss11-mutual-auth-with-certificates>
C.4 orawsp:bindings Element
The <oraswsp:bindings> element defines the bindings in the assertion.
This element includes the orawsp:Config Element.
C.4.1 Example of orawsp:bindings Element
This example shows the code snippet for orawsp:bindings element:
<orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11SamlWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings>
C.5 orawsp:Config Element
The <oraswsp:Config> element defines the configuration for the assertion.
This element can include the orawsp:PropertySet Element.
C.5.1 orawsp:Config Element Attributes
The following table summarizes the <orawsp:Config> element attributes.
Table C-4 Attributes of <orawsp:Config> Element
Attribute | Description |
---|---|
name |
Name of the configuration. |
type |
Category to which the configuration applies. |
configType |
Configuration type. Valid values include: declarative and programmatic.
|
C.5.2 Example of orawsp:Config Element
This example shows the code snippet for orawsp:Config element:
<orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11SamlWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config>
C.6 orawsp:PropertySet Element
The <oraswsp:PropertySet> element groups nested properties.
This element includes the orawsp:Property Element.
C.6.1 orawsp:PropertySet Element Attributes
The following table summarizes the attributes of the <orawsp:PropertySet> element.
Table C-5 Attributes of <orawsp:PropertySet> Element
Attribute | Description |
---|---|
name |
Name of the property set. |
C.7 orawsp:Property Element
The <oraswsp:Property> element defines a single property. The following summarize valid properties used by the predefined assertions.
The <orawsp:Property> element can contain the following subelements:
C.7.1 orawsp:Property Element Attributes
The following table summarizes the attributes of the <orawsp:Property> element.
Table C-6 Attributes of <orawsp:Property> Element
Attribute | Description |
---|---|
name |
Name of the property. See Table C-7 for a list of property values used by the predefined assertions. |
type |
Type of the property. For example, string. |
contentType |
Specifies whether the property is required and can be overridden. Valid values include:
For information about overriding policies, see "Overview of Policy Configuration Overrides". |
The following table summarizes the properties used by the predefined assertions.
Table C-7 Properties Used by the Predefined Assertions
Property | Description |
---|---|
action |
Action or web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards. For example, |
attesting.mapping.attribute |
The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies. |
BaseRetransmissionInterval |
Interval, in milliseconds, that the source endpoint waits after transmitting a message and before it retransmits the message. If the source endpoint does not receive an acknowledgement for a given message within the interval specified by this element, the source endpoint retransmits the message. The source endpoint can modify this retransmission interval at any point during the lifetime of the sequence of messages. This assertion does not alter the formulation of messages as transmitted, only the timing of their transmission. This value defaults to 3000. |
credential.delegation |
Flag that specifies whether Credential Delegation with Forwarded TGT is supported. For more information, see "About Configuration of Credential Delegation". This value defaults to false. |
csf-key |
Credential Store Key that maps to a username and password in the Oracle Platform Security Services identity store. The default value is |
DeliveryAssurance |
Delivery assurance. Valid values include:
|
jdbc-connection-name |
JNDI reference to a JDBC data store. Valid when the StoreType is set to JDBC. This value defaults to jdbc/MessagesStore. |
InactivityTimeout |
Period of inactivity (in milliseconds) for a sequence of messages. A sequence of messages is defined as a set of messages, identified by a unique sequence number, for which a particular delivery assurance applies; typically a sequence originates from a single source endpoint. If, during the duration specified by this element, a destination endpoint has received no messages from the source endpoint, the destination endpoint may consider the sequence to have been terminated due to inactivity. The same applies to the source endpoint. This value defaults to 600000. |
keystore.enc.csf.key |
If you set this value you then can override keystore.enc.csf.key, as described in "Overview of Policy Configuration Overrides". |
keystore.recipient.alias |
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. Can be superseded by "Understanding Service Identity Certificate Extensions". |
on.behalf.of |
Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is false. |
permission-class |
Class used for the permission-based checking. For example, |
realm |
HTTP realm. This value defaults to owsm. |
resource |
Name of the resource for which authorization checks are performed. This field accepts wildcards. For example, if the namespace of the web service is |
role |
SOAP role. This value defaults to ultimateReceiver. |
saml.assertion.filename |
File containing SAML assertions. This value defaults to temp. |
saml.audience.uri |
Represents the relying party, as a comma-separated URI. This field accepts the following wildcards:
|
saml.issuer.name |
Name of the issuer of the SAML token. This value defaults to www.oracle.com. |
saml.trusted.issuers |
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level. |
service.principal.name |
Kerberos principal name that identifies the service. |
StoreName |
Name of the message store. This value defaults to oracle. |
StoreType |
Type of message store. Valid values include:
|
sts.auth.caller.principal.name |
Client's principal name as generated using the |
sts.auth.keytab.location |
Location of the client's keytab file. |
sts.auth.on.behalf.of.csf.key |
Use to configure "on behalf of" entity. If present, it will be given preference over Subject (if it exists). |
sts.auth.service.principal.name |
Principal name for the web service that needs to be protected. It is of the format |
sts.auth.user.csf.key |
Use to configure username/password to authenticate to the STS. If |
sts.auth.x509.csf.key |
Use to configure X509 certificate for authenticating to the STS. If |
sts.keystore.recipient.alias |
The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key. |
subject.precedence |
Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject. If subject.precedence is true, the user name to create the SAML assertion is obtained only from the Subject. Similarly, if subject.precedence is false, the user name to create the SAML assertion is obtained only from the csf-key username property. |
user.attributes |
Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2. The attribute names you specify must exactly match valid attributes in the configured identity store. The OWSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion. |
user.roles.include |
SOAP roles to be included. This value defaults to false. |
C.8 orawsp:Description Element
The <oraswsp:Description> element provides a description of the property.
C.9 orawsp:Value Element
The <oraswsp:Value> element provides a list of valid values for the property.
C.10 orawsp:guard Element
The <orawsp:guard> element defines the resource, action, and constraint match values.
C.10.1 Examples of orawsp:guard Element
<orawsp:guard> <orawsp:resource-match> http://project11/CreditValidation </orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
<orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard> <orawsp:guard> <orawsp:constraint-match>${!(messageContext.authenticationMethod =='SAML_SV' || messageContext.requestOrigin == 'internal')} </orawsp:constraint-match> </orawsp:guard>
C.11 orawsp:resource-match Element
The <orawsp:resource-match> element specifies the name of the resource for which authorization checks are performed. This field accepts wildcards.
For example, if the namespace of the web service is http://project11
and the service name is CreditValidation
, the resource name is http://project11/CreditValidation
.
C.11.1 Examples of orawsp:resource-match
<orawsp:guard> <orawsp:resource-match> http://project11/CreditValidation </orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
<orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
C.12 orawsp:action-match Element
The <orawsp:resource-match> element specifies the action or web service operation for which authorization checks are performed. This value can be a comma-separated list of values. This field accepts wildcards.
C.12.1 Examples of orawsp:action-match Element
<orawsp:guard> <orawsp:resource-match> http://project11/CreditValidation </orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
<orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>validate,amountAvailable</orawsp:action-match> </orawsp:guard>
C.13 orawsp:constraint-match Element
The <orawsp:constraint-match> element specifies the constraints against which authorization checks are performed. The value is an expression specified using the following two messageContext properties:
-
messageContext.authenticationMethod—Determines the authentication method used to authenticate the user. Valid value is
SAML_SV
. -
messageContext.requestOrigin—Determines whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP server administrator has added a custom VIRTUAL_HOST_TYPE header to the request.
The properties and their values are case sensitive. The constraint expression uses the following standard supported operators:
==
,!=
,&&
,||
and!
.Note:
This element is supported with the binding-authorization element only. For other authorization assertion elements, this field is reserved for future use.
C.14 oralgp:Logging Element
The <orasp:Logging> element defines the logging policy.
The <orasp:Logging> element contains the following subelements:
C.14.1 Example of oralgp:Logging Element
The following example shows the oralgp:Logging
element.
<oralgp:Logging orawsp:Enforced="false" orawsp:Silent="true" orawsp:category="security/logging" orawsp:name="Log Message1"> <oralgp:msg-log> <oralgp:request>all</oralgp:request> <oralgp:response>all</oralgp:response> <oralgp:fault>all</oralgp:fault> </oralgp:msg-log> <orawsp:bindings> <orawsp:Config orawsp:name="added-from-em"/> </orawsp:bindings> </oralgp:Logging>
C.15 orasp:binding-authorization Element
The <orasp:binding-authorization> element defines a simple role-based authorization for the request based on the authenticated subject at the SOAP binding level.
The <orasp:binding-authorization> element contains the following subelements:
It also contains one of the following subelements:
C.15.1 Example of orasp:binding-authorization Element
<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="J2EE services Authorization"> <orasp:denyAll/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/> </orawsp:bindings> <orawsp:guard/> </orasp:binding-authorization>
C.16 orasp:binding-permission-authorization Element
The <orasp:binding-permission-authorization> element defines simple permission-based authorization for the request based on the authenticated subject at the SOAP binding level.
The <orasp:binding-permission-authorization> element contains the following subelements:
C.16.1 Example of orasp:binding-permission-authorization Element
<orasp:binding-permission-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="J2EE Permission Based Authorization"> <orasp:check-permission/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="BindingPermissionAuthzConfig"> <orawsp:PropertySet orawsp:name="perms-authz-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="resource" orawsp:type="string"> <orawsp:DefaultValue>*</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="action" orawsp:type="string"> <orawsp:DefaultValue>*</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="permission-class" orawsp:type="string"> <orawsp:DefaultValue>oracle.wsm.security.WSFunctionPermission </orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> <orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>*</orawsp:action-match> </orawsp:guard> </orasp:binding-permission-authorization>
C.17 orasp:coreid-security Element
The <orasp:coreid-security> element uses the credentials in the WS-Security header's binary security token to authenticate users against the Oracle Access Manager identity store.
It contains the following subelements:
C.17.1 Example of orasp:coreid-security Element
<orasp:coreid-security orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authentication, security/authorization" orawsp:name="OAM Security"> <orasp:coreid-token orasp:is-encrypted="false" orasp:is-signed="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="CoreIdConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:coreid-security>
C.18 orasp:http-security Element
The <orasp:http-security> element uses the credentials in the HTTP header to authenticate users against the Oracle Platform Security Services identity store.
It contains the following subelements:
C.18.1 Example of orasp:http-security Element
<orasp:http-security orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authentication, security/msg-protection" orawsp:name="Http over SSL Security"> <orasp:auth-header orasp:mechanism="basic"/> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="HttpConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="realm" orawsp:type="string"> <orawsp:Value>owsm</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:http-security>
C.19 orasp:kerberos-security Element
The <orasp:kerberos-security> element enforces in accordance with the WS-Security Kerberos Token Profile v1.1 standard.
It contains the following subelements:
C.19.1 Example of orasp:kerberos-security Element
<orasp:kerberos-security orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="WSS Kerberos Token"> <orasp:kerberos-token orasp:is-encrypted="false" orasp:is-signed="false" orasp:type="gss-apreq-v5"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="KerberosSecurityConfig"/> </orawsp:bindings> </orasp:kerberos-security>
C.20 orasp:sca-component-authorization Element
The <orasp:sca-component-authorization> element defines simple role-based authorization for the request based on the authenticated subject at the SOA component level.
The <orasp:sca-component-authorization> element contains the following subelement:
It also contains one of the following subelements:
C.20.1 Example of orasp:sca-component-authorization Element
<orasp:sca-component-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="Fabric Component Authorization"> <orasp:denyAll/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="FabricAuthzConfig"/> </orawsp:bindings> </orasp:sca-component-authorization>
C.21 orasp:sca-component-permission-authorization Element
The <orasp:sca-component-permission-authorization> element provides simple permission-based authorization for the request based on the authenticated subject at the SOA component level.
The <orasp:binding-permission-authorization> element contains the following subelements:
C.21.1 Example of orasp:sca-component-permission-authorization Element
<orasp:sca-component-permission-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="Fabric Component Authorization"> <orasp:check-permission/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="FabricAuthzConfig"> <orawsp:PropertySet orawsp:name="perms-authz-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="resource" orawsp:type="string"> <orawsp:DefaultValue>*</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="action" orawsp:type="string"> <orawsp:DefaultValue>*</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="permission-class" orawsp:type="string"> <orawsp:DefaultValue> oracle.wsm.security.WSFunctionPermission</orawsp:DefaultValue> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> <orawsp:guard> <orawsp:resource-match>*</orawsp:resource-match> <orawsp:action-match>*</orawsp:action-match> </orawsp:guard> </orasp:sca-component-permission-authorization>
C.22 orasp:sts-trust-config Element
The <orasp:sts-trust-config> element provides a mechanism to invoke the STS for token exchange.
It contains the following subelements:
C.22.1 orasp:sts-trust-config Element Attributes
The following table summarizes the attributes of the <orasp:sts-trust-config> element.
Table C-8 Attributes of <orasp:sts-trust-config> Element
Attribute | Description |
---|---|
wsdl-uri |
The actual endpoint URI of the WSDL. |
port-uri |
The actual endpoint URI of the STS port. For example. |
port-endpoint |
The endpoint of the STS web service. For a WSDL 2.0 STS, the format is specified as For a WSDL 1.1 STS, the format is specified as |
policy-reference-uri |
The client policy URI that will be used by the client to communicate with the STS. The policy you choose depends on the authentication requirements of the STS, as identified in its WSDL. |
soap-version |
SOAP version. |
sts-keystore-recipient-alias |
The alias of the STS certificate you added to the keystore. The default alias name is |
C.22.2 Example of orasp:sts-trust-config Element
<orasp:sts-trust-config xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orasp:policy-reference-uri="oracle/wss10_username_token_with_message_protection_ client_policy" orasp:port-endpoint="target-namespace#wsdl.endpoint(service-name/port-name)" orasp:port-uri="http://host:port/sts-service" orasp:soap-version="12" orasp:sts-keystore-recipient-alias="sts-csf-key" orasp:wsdl-uri="http://host:port/sts?wsdl" orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/sts-config" orawsp:name="STS Trust Configuration"> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="StsTrustConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:sts-trust-config>
C.23 orasp:wss10-anonymous-with-certificates Element
The <orasp:wss10-anonymous-with-certificates> element provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.0 standard.
It contains the following subelements:
C.23.1 Example of orasp:wss10-anonymous-with-certificates Element
<orasp:wss10-anonymous-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/msg-protection" orawsp:name="WS-Security 1.0 Anonymous with certificates"> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10AnonWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-anonymous-with-certificates>
C.24 orasp:wss10-mutual-auth-with-certificates Element
The <orasp:wss10-mutual-auth-with-certificates> element enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
C.24.1 Example of orasp:wss10-mutual-auth-with-certificates Element
<orasp:wss10-mutual-auth-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.0 Mutual Auth with certificates"> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10AnonWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-mutual-auth-with-certificates>
C.25 orasp:wss10-saml-hok-with-certificates Element
The <orasp:wss1-saml-hok-with-certificates> element provides message protection (integrity and confidentiality) and SAML holder of key based authentication for outbound SOAP messages in accordance with the WS-Security 1.0 standard.
It contains the following subelements:
C.25.1 Example of orasp:wss10-saml-hok-with-certificates Element
<orasp:wss10-saml-hok-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.0 SAML Holder Of Key with certificates"> <orasp:saml-token orasp:confirmation-type="holder-of-key" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="ski"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10SamlHOKWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:name="keystore.recipient.alias" orawsp:type="string"> <orawsp:Value>orakey</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.assertion.filename" orawsp:type="string"> <orawsp:Value>temp</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-saml-hok-with-certificates>
C.26 orasp:wss10-saml-token Element
The <orasp:wss10-saml-token> element authenticates users using credentials provided in SAML tokens in the WS-Security SOAP header.
It contains the following subelements:
C.26.1 Example of orasp:wss10-saml-token Element
<orasp:wss10-saml-token orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="WSSecurity SAML Token"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="false" orasp:version="1.1"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssSamlTokenConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-saml-token>
C.27 orasp:wss10-saml-with-certificates Element
The <orasp:wss10-saml-with-certificates> element enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
It contains the following subelements:
C.27.1 Example of orasp:wss10-saml-with-certificates Element
<orasp:wss10-saml-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.0 SAML with certificates"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10SamlWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-saml-with-certificates>
C.28 orasp:wss10-username-with-certificates Element
The <orasp:wss10-username-with-certificates> element enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.0 standard.
It contains the following subelements:
C.28.1 Example of orasp:wss10-username-with-certificates Element
<orasp:wss10-username-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.0 username with certificates"> <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10UsernameWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss10-username-with-certificates>
C.29 orasp:wss11-anonymous-with-certificates Element
The <orasp:wss11-anonymous-with-certificates> element provides message protection (integrity and confidentiality) for outbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
C.29.1 Example of orasp:wss11-anonymous-with-certificates Element
<orasp:wss11-anonymous-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/msg-protection" orawsp:name="WS-Security 1.0 Anonymous with certificates"> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11AnonWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-anonymous-with-certificates>
C.30 orasp:wss11-mutual-auth-with-certificates Element
The <orasp:wss11-mutual-auth-with-certificates> element enforces message-level protection and certificate-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
C.30.1 Example of orasp:wss11-mutual-auth-with-certificates Element
<orasp:wss11-mutual-auth-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 Mutual Auth with certificates"> <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="true" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="false" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss10AnonWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:name="keystore.recipient.alias" orawsp:type="string"> <orawsp:Value>orakey</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-mutual-auth-with-certificates>
C.31 orasp:wss11-saml-with-certificates Element
The <orasp:wss11-saml-with-certificates> element enforces message protection (integrity and confidentiality) and SAML-based authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
C.31.1 Example of orasp:wss11-saml-with-certificates Element
<orasp:wss11-saml-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 SAML with certificates"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11SamlWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-saml-with-certificates>
C.32 orasp:wss11-sts-issued-token-with-certificates Element
The <orasp:wss11-sts-issued-token-with-certificates> element enforces insertion of an assertion issued by a trusted STS. Messages are protected using proof key material provided by the STS, the client, or both.
It contains the following subelements:
C.32.1 orasp:wss11-sts-issued-token-with-certificates Element Attributes
The following table summarizes the attributes of the <orasp:wss11-sts-issued-token-with-certificates> element.
Table C-9 Attributes of <orasp:wss11-sts-issued-token-with-certificates> Element
Attribute | Description |
---|---|
trust-version |
WS-Trust version. |
require-client-entropy |
If a symmetric proof key is required by the web service's security policy, this flag specifies whether the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The web service policy can indicate whether client entropy, STS entropy, or both are required. |
require-server-entropy |
If a symmetric proof key is required by the web service's security policy, this flag specifies whether the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The web service policy can indicate whether client entropy, STS entropy, or both are required. |
require-applies-to |
Optional element in the RST. Flag that specifies whether OWSM sends the endpoint address of the web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS. |
C.32.2 Example of orasp:wss11-sts-issued-token-with-certificates Element
<orasp:wss11-sts-issued-token-with-certificates xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orasp:require-applies-to="true" orasp:require-client-entropy="true" orasp:require-server-entropy="true" orasp:trust-version="13" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1, issued token"> <orasp:issued-token orasp:require-external-reference="true" orasp:require-internal-reference="true" orasp:use-derived-keys="false"> <orasp:request-security-token-template orasp:algorithm-suite="Basic128" orasp:key-type="Symmetric" orasp:token-type="SAML11"/> </orasp:issued-token> <orasp:x509-token orasp:enc-key-ref-mech="thumbprint" orasp:is-encrypted="false" orasp:is-signed="true" orasp:sign-key-ref-mech="thumbprint"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="true" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> <orasp:request> <orasp:signed-parts> <orasp:body/> <orasp:header orasp:namespace="http://www.w3.org/2005/08/addressing"/> <orasp:header orasp:namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/> <orasp:header orasp:name="fmw-context" orasp:namespace="http://xmlns.oracle.com/fmw/context/1.0"/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> <orasp:header orasp:name="fmw-context" orasp:namespace="http://xmlns.oracle.com/fmw/context/1.0"/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11StsIssuedTokenWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="sts.auth.user.csf.key" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="sts.auth.x509.csf.key" orawsp:type="string"> <orawsp:Value>enc-csf-key</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:name="on.behalf.of" orawsp:type="boolean"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="sts.auth.on.behalf.of.csf.key" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:name="keystore.recipient.alias" orawsp:type="string"> <orawsp:Value>orakey</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="keystore.enc.csf.key" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="sts.auth.service.principal.name" orawsp:type="string"> <orawsp:Value>HOST/localhost@EXAMPLE.COM</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="sts.auth.keytab.location" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="sts.auth.caller.principal.name" orawsp:type="string"> <orawsp:Value/> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-sts-issued-token-with-certificates>
C.33 orasp:wss11-username-with-certificates Element
The <orasp:wss11-username-with-certificates> element enforces message protection (integrity and confidentiality) and authentication for inbound SOAP requests in accordance with the WS-Security 1.1 standard.
It contains the following subelements:
C.33.1 Example of orasp:wss11-username-with-certificates Element
<orasp:wss11-username-with-certificates orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1 username with certificates"> <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orasp:x509-token orasp:enc-key-ref-mech="direct" orasp:is-encrypted="false" orasp:is-signed="true" orasp:rcpt-enc-key-ref-mech="direct" orasp:rcpt-sign-key-ref-mech="direct" orasp:sign-key-ref-mech="direct"/> <orasp:msg-security orasp:algorithm-suite="Basic128" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="Wss11UsernameWithCertsConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss11-username-with-certificates>
C.34 orasp:wss-saml-token-bearer-over-ssl Element
The <orasp:wss-saml-token-bearer-over-ssl> element authenticates users using credentials provided in SAML tokens with confirmation method 'Bearer' in the WS-Security SOAP header.
It contains the following subelements:
C.34.1 Example of orasp:wss-saml-token-bearer-over-ssl Element
<orasp:wss-saml-token-bearer-over-ssl orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WSSecurity Saml Token With Confirmation method Bearer Over SSL "> <orasp:saml-token orasp:confirmation-type="bearer" orasp:is-encrypted="false" orasp:is-signed="false" orasp:version="1.1"/> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssSamlTokenBearerOverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-saml-token-bearer-over-ssl>
C.35 orasp:wss-saml-token-over-ssl Element
The <orasp:wss-saml-token-over-ssl> element enforces the authentication of credentials provided via a SAML token within WS-Security SOAP header using the sender-vouches confirmation type.
It contains the following subelements:
C.35.1 Example of orasp:wss-saml-token-over-ssl Element
<orasp:wss-saml-token-over-ssl orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WSSecurity SAML Token Over SSL"> <orasp:saml-token orasp:confirmation-type="sender-vouches" orasp:is-encrypted="false" orasp:is-signed="true" orasp:version="1.1"/> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="true"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssSamlTokenOverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="optional" orawsp:name="saml.issuer.name" orawsp:type="string"> <orawsp:Value>www.oracle.com</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="user.roles.include" orawsp:type="string"> <orawsp:Value>false</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-saml-token-over-ssl>
C.36 orasp:wss-sts-issued-token-over-ssl Element
The <orasp:wss-sts-issued-token-over-ssl> element enforces authentication of a SAML assertion issued by a trusted STS. Messages are protected using SSL
It contains the following subelements:
C.36.1 orasp:wss-sts-issued-token-over-ssl Element Attributes
The following table summarizes the attributes of the <orasp:wss-sts-issued-token-over-ssl> element.
Table C-10 Attributes of <orasp:wss-sts-issued-token-over-ssl> Element
Attribute | Description |
---|---|
trust-version |
WS-Trust version. |
require-client-entropy |
If a symmetric proof key is required by the web service's security policy, this flag specifies whether the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The web service policy can indicate whether client entropy, STS entropy, or both are required. |
require-server-entropy |
If a symmetric proof key is required by the web service's security policy, this flag specifies whether the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The web service policy can indicate whether client entropy, STS entropy, or both are required. |
require-applies-to |
Optional element in the RST. Flag that specifies whether OWSM sends the endpoint address of the web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS. |
C.36.2 Example of orasp:wss-sts-issued-token-over-ssl Element
<orasp:wss-sts-issued-token-over-ssl xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" orasp:require-applies-to="true" orasp:require-client-entropy="true" orasp:require-server-entropy="true" orasp:trust-version="13" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WS-Security 1.1, issued token over ssl"> <orasp:issued-token orasp:require-external-reference="true" orasp:require-internal-reference="true" orasp:use-derived-keys="false"> <orasp:request-security-token-template orasp:key-type="Bearer" orasp:token-type="SAML11"/> </orasp:issued-token> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssStsIssuedTokenOverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-sts-issued-token-over-ssl>
C.37 orasp:wss-username-token Element
The <orasp:wss-username-token> element enforces authentication with username and password credentials in the WS-Security UsernameToken SOAP header.
It contains the following subelements:
C.37.1 Example of orasp:wss-username-token Element
<orasp:wss-username-token orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication" orawsp:name="WSSecurity UserName Token"> <orasp:username-token orasp:add-created="false" orasp:add-nonce="false" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssUsernameTokenConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-username-token>
C.38 orasp:wss-username-token-over-ssl Element
The <orasp:wss-username-token-over-ssl> element uses the credentials in the UsernameToken WS-Security SOAP header to authenticate users against the Oracle Platform Security Services configured identity store.
It contains the following subelements:
C.38.1 Example of orasp:wss-username-token-over-ssl Element
<orasp:wss-username-token-over-ssl orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="security/authentication, security/msg-protection" orawsp:name="WSSecurity UserName Token Over SSL"> <orasp:username-token orasp:add-created="true" orasp:add-nonce="true" orasp:is-encrypted="true" orasp:is-signed="true" orasp:password-type="plaintext"/> <orasp:require-tls orasp:include-timestamp="true" orasp:mutual-auth="false"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="WssUsernameTokenOverSSLConfig"> <orawsp:PropertySet orawsp:name="standard-security-properties"> <orawsp:Property orawsp:contentType="constant" orawsp:name="role" orawsp:type="string"> <orawsp:Value>ultimateReceiver</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </orasp:wss-username-token-over-ssl>
C.39 rm:RMAssertion Element
The <rm:RMAssertion> element provides support for version 1.0 and version 1.1 of the Web Services Reliable Messaging protocol. The version supported depends on the XML schema namespace value used:
-
WS-ReliableMessaging 1.1: http://docs.oasis-open.org/ws-rx/wsrmp/200702
-
WS-ReliableMessaging 1.0: http://schemas.xmlsoap.org/ws/2005/02/rm/policy
This policy can be attached to any SOAP-based client or endpoint. Full support for this feature may require additional programming.
The <rm:RMAssertion> element contains the following subelement:
C.39.1 Example of rm:RMAssertion Element
<rm:RMAssertion xmlns:rm="http://schemas.xmlsoap.org/ws/2005/02/rm/policy" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="wsrm" orawsp:description="i18n:oracle.wsm.resources.policydescription.PolicyDescriptionBundle_oracle/wsrm10_policy_RMAssertion_AssertionDescKey" orawsp:name="RM 1.0"> <wsp:Policy/> <orawsp:bindings> <orawsp:Config orawsp:name="RMConfig"> <orawsp:PropertySet orawsp:name="standard-wsrm-properties"> <orawsp:Property orawsp:name="DeliveryAssurance" orawsp:type="string"> <orawsp:Description>Delivery Assurance. Possible values (case-insensitive) are InOrder, AtLeastOnce, AtLeastOnceInOrder, ExactlyOnce, ExactlyOnceInOrder, AtMostOnce, AtMostOnceInOrder.</orawsp:Description> <orawsp:Value>inorder</orawsp:Value> <orawsp:DefaultValue>inorder</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:name="StoreType" orawsp:type="string"> <orawsp:Description>The type of message store used. Possible values (case-insensitive) areInMemory, JDBC.</orawsp:Description> <orawsp:Value>inmemory</orawsp:Value> <orawsp:DefaultValue>inmemory</orawsp:DefaultValue> </orawsp:Property> <orawsp:Property orawsp:name="StoreName" orawsp:type="string"> <orawsp:Description>The name of the message store. </orawsp:Description> <orawsp:Value>oracle</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:contentType="optional" orawsp:name="jdbc-connection-name" orawsp:type="string"> <orawsp:Description>The JNDI reference to a JDBC data source, when the store type is JDBC.</orawsp:Description> <orawsp:Value>jdbc/MessagesStore</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:name="InactivityTimeout" orawsp:type="int"> <orawsp:Description>The inactivity timeout duration, specified in milliseconds.</orawsp:Description> <orawsp:Value>600000</orawsp:Value> </orawsp:Property> <orawsp:Property orawsp:name="BaseRetransmissionInterval" orawsp:type="int"> <orawsp:Description>The base retransmission interval, specified in milliseconds.</orawsp:Description> <orawsp:Value>3000</orawsp:Value> </orawsp:Property> </orawsp:PropertySet> </orawsp:Config> </orawsp:bindings> </rm:RMAssertion>
C.40 wsaw:UsingAddressing Element
The <wsaw:UsingAddressing> element causes the platform to check inbound messages for the presence of WS-Addressing headers conforming to the W3C 2005 Final WS-Addressing Policy standard. In addition, it causes the platform to include a WS-Addressing header in outbound SOAP messages.
The <wsaw:UsingAddressing> element contains the following subelement:
C.40.1 Example of wsaw:UsingAddressing Element
<wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="addressing" orawsp:name="WS-Addressing 2005"> <orawsp:bindings> <orawsp:Config orawsp:name="added-from-em"/> </orawsp:bindings> </wsaw:UsingAddressing>
C.41 wsoma:OptimizedMimeSerialization Element
The <wsoma:OptimizedMimeSerialization> element rejects inbound messages that are not in MTOM format and verifies that outbound messages are in MTOM format.
MTOM refers to specifications http://www.w3.org/TR/2005/REC-soap12-mtom-20050125
and http://www.w3.org/Submission/2006/SUBM-soap11mtom10-20060405
for SOAP 1.2 and SOAP 1.1 bindings, respectively.
The <wsoma:OptimizedMimeSerialization> element contains the following subelement:
C.41.1 Example of wsoma:OptimizedMimeSerialization Element
<wsoma:OptimizedMimeSerialization xmlns:wsoma= "http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization" orawsp:Enforced="true" orawsp:Silent="false" orawsp:category="mtom" orawsp:name="MTOM"> <orawsp:bindings> <orawsp:Config orawsp:name="added-from-em"/> </orawsp:bindings> </wsoma:OptimizedMimeSerialization>
C.42 oralgp:fault Element
The <oralgp:fault> element configures logging for the fault message. Valid values include:
-
all—Log the entire SOAP message.
-
header—Log SOAP header information only.
-
soap_body—Log SOAP body information only.
-
soap_envelope—Log SOAP envelope information only.
C.43 oralgp:request Element
The <oralgp:request> element configures logging for the request message. Valid values include:
-
all—Log the entire SOAP message.
-
header—Log SOAP header information only.
-
soap_body—Log SOAP body information only.
-
soap_envelope—Log SOAP envelope information only.
C.44 oralgp:response Element
The <oralgp:response> element configures logging for the response message. Valid values include:
-
all—Log the entire SOAP message.
-
header—Log SOAP header information only.
-
soap_body—Log SOAP body information only.
-
soap_envelope—Log SOAP envelope information only.
C.45 oralgp:msg-log Element
The <oralgp:msg-log> element configures logging for the request, response, and fault messages. The <oralgp:msg-log> element contains the following subelements:
C.46 orasp:attachment Element
The <orasp:attachment> element defines the attachment information.
C.46.1 orasp:attachment Element Attributes
The following table summarizes the attributes of the <orasp:attachment> element.
Table C-11 Attributes of <orasp:attachment> Element
Attribute | Description |
---|---|
include-mime-headers |
Flag that specifies whether or include MIME headers. Valid values include true or false. |
C.47 orasp:auth-header Element
The <orasp:auth-header> element specifies the name of the authentication header.
C.47.1 orasp:auth-header Element Attributes
The following table summarizes the attribute of the <orasp:auth-header> element.
Table C-12 Attributes of <orasp:auth-header> Element
Attribute | Description |
---|---|
mechanism |
Authentication mechanism. Valid values include:
|
C.48 orasp:body Element
The <orasp:body> element defines the message body elements that are signed and encrypted. To include the entire body, specify the body element as follows: <orasp:body/>.
C.49 orasp:check-permission Element
The <orasp:check-permission> element specifies that permissions are to be checked.
C.50 orasp:coreid-token Element
The <orasp:coreid-token> element defines the OAM token.
C.50.1 orasp:coreid-token Element Attributes
The following table summarizes the attributes of the <orasp:coreid-token> element.
Table C-13 Attributes of <orasp:coreid-token> Element
Attribute | Description |
---|---|
is-encrypted |
Flag that specifies whether the assertion is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the assertion is signed. Valid values include true or false. |
C.51 orasp:denyAll Element
The <orasp:denyAll> element denies all users with any roles.
C.51.1 Example of orasp:denyAll Element
<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="J2EE services Authorization"> <orasp:denyAll/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/> </orawsp:bindings> <orawsp:guard/> </orasp:binding-authorization>
C.52 orasp:element Element
The <orasp:element> element defines a header or body element that is signed or encrypted.
C.52.1 orasp:element Element Attributes
The following table summarizes the attributes of the <orasp:element> element.
Table C-14 Attributes of <orasp:element> Element
Attribute | Description |
---|---|
name |
Name of the header or body element. |
namespace |
Namespace. |
C.53 orasp:encrypted-elements Element
The <orassp:encrypted-elements> element defines the message body elements that are signed. This element is valid if <orasp:encrypted-parts> is not set to <orasp:body/>
The <orassp:encrypted-parts> element contains the following subelement:
C.54 orasp:encrypted-parts Element
The <orasp:encrypted-parts> element defines the message parts that are encrypted.
The <orasp:encrypted-parts> element contains one or more of the following subelements:
C.55 orasp:fault Element
The <orasp:fault> element defines the message body elements that are signed and encrypted in the fault message. The <orasp:fault> element contains the following subelements:
C.56 orasp:header Element
The <orasp:header> element defines a header element.
C.56.1 orasp:header Element Attributes
The following table summarizes the attributes of the <orasp:header> element.
Table C-15 Attributes of <orasp:header> Element
Attribute | Description |
---|---|
name |
Name of the header element. The default header elements in the predefined namespace include: To, From, FaultTo, ReplyTo, MessageID, RelatesTo, and Action. |
namespace |
Namespace. The predefined namespace is as follows: http://www.w3.org/2005/08/addressing. |
C.57 orasp:issued-token Element
The <orasp:issued-token> element enforces token characteristics.
C.57.1 orasp:issued-token Element Attributes
The following table summarizes the attributes of the <orasp:issued-token> element.
Table C-16 Attributes of <orasp:issued-token> Element
Attribute | Description |
---|---|
use-derived-keys |
Flag that specifies whether derived keys are required. Possible values are True and False. |
require-internal-reference |
Flag that specifies whether internal reference to the token is required. Possible values are True and False. |
require-external-reference |
Flag that specifies whether external reference to the token is required. Possible values are True and False. |
C.58 orasp:kerberos-token Element
The <orasp:kerberos-token> element defines the kerberos token.
C.58.1 orasp:kerberos-token Element Attributes
The following table summarizes the attributes of the <orasp:kerberos-token> element.
Table C-17 Attributes of <orasp:kerberos-token> Element
Attribute | Description |
---|---|
is-encrypted |
Flag that specifies whether the assertion is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the assertion is signed. Valid values include true or false. |
type |
Type of Kerberos token. The only valid value is gss-apreq-v5 (Kerberos Version 5 GSS-API). |
use-derived-keys |
Flag that specifies whether derived keys are required. Valid values are true or false. |
C.59 orasp:msg-security Element
The <orassp:msg-security> element defines message security for the policy. You define the body elements that are signed and encrypted for the request, response, and fault.
The <orasp:msg-security> element contains the following subelements:
C.59.1 orasp:msg-security Element Attributes
The following table summarizes the attributes of the <orasp:msg-security> element.
Table C-18 Attributes of <orasp:msg-security> Element
Attribute | Description |
---|---|
algorithm-suite |
Defines the algorithm suite that is used for message protection. For example, Basic128. For more information, see "Supported Algorithm Suites". |
confirm-signature |
Flag that specifies whether to send a signature confirmation back to the client. Valid values inlcude true or false. |
encrypt-signature |
Flag that specifies whether to send a encryption confirmation back to the client. Valid values inlcude true or false. |
include-timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. |
sign-then-encyrpt |
Flag that specifies whether to sign the message before encrypting the message. |
use-derived-keys |
Flag that specifies whether to use derived keys. |
C.59.2 Example of orasp:msg-security Element
<orasp:msg-security orasp:algorithm-suite="Basic128" orasp:confirm-signature="false" orasp:encrypt-signature="false" orasp:include-timestamp="true" orasp:sign-then-encrypt="true" orasp:use-derived-keys="false"> <orasp:request> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:request> <orasp:response> <orasp:signed-parts> <orasp:body/> </orasp:signed-parts> <orasp:encrypted-parts> <orasp:body/> </orasp:encrypted-parts> </orasp:response> <orasp:fault/> </orasp:msg-security>
C.60 orasp:permitAll Element
The <orasp:permitAll> element permits all users with any roles.
C.60.1 Example of orasp:permitAll Element
<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:name="J2EE services Authorization"> <orasp:permitAll/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/> </orawsp:bindings> </orasp:binding-authorization>
C.61 orasp:request Element
The <orasp:request> element defines the message body elements that are signed and encrypted in the request message. The <orasp:request> element contains the following subelements:
C.62 orasp:require-tls Element
The <orasp:require-tls> element specifies whether two-way authentication is required.
C.62.1 orasp:require-tls Element Attributes
The following table summarizes the attributes of the <orasp:require-tls> element.
Table C-19 Attributes of <orawsp:require-tls> Element
Attribute | Description |
---|---|
include-timestamp |
Flag that specifies whether to include a timestamp. A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid. Note: This flag is not valid for RESTful web service and client endpoints. |
mutual-auth |
Flag that specifies whether two-way authentication is required. Valid values include true or false. |
C.63 orasp:response Element
The <orassp:response> element defines the message body elements that are signed and encrypted in the response message. The <oraswsp:response> element contains the following subelements:
C.64 orasp:role Element
The <orasp:role> element defines the roles that are permitted access.
C.64.1 orasp:role Element Attribute
The following table summarizes the attribute of the <orasp:role> element.
Table C-20 Attributes of <orasp:role> Element
Attribute | Description |
---|---|
name |
Name of the role. Valid roles include:
|
C.64.2 Example of orasp:role Element
<orasp:binding-authorization orawsp:Enforced="true" orawsp:Silent="true" orawsp:category="security/authorization" orawsp:description="" orawsp:name="J2EE services Authorization"> <orasp:role orasp:name="Monitors"/> <orasp:role orasp:name="AdminChannelUsers"/> <orawsp:bindings> <orawsp:Config orawsp:configType="declarative" orawsp:name="AuthzConfig"/> </orawsp:bindings> </orasp:binding-authorization>
C.65 orasp:saml-token Element
The <orasp:saml-token> element configures the SAML token.
C.65.1 orasp:saml-token Element Attributes
The following table summarizes the attributes of the <orasp:saml-token> element.
Table C-21 Attributes of <orasp:saml-token> Element
Attribute | Description |
---|---|
confirmation-type |
Confirmation type. Valid values include: sender-vouches and holder-of-key.
|
is-encrypted |
Flag that specifies whether the assertion is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the assertion is signed. Valid values include true or false. |
version |
SAML version. Valid values include: 1.1 and 2.0. |
C.66 orasp:signed-elements Element
The <orassp:signed-elements> element defines the message body elements that are signed. This element is valid if <orasp:signed-parts> is not set to <orasp:body/>
The <orassp:signed-elements> element contains the following subelement:
C.67 orasp:signed-parts Element
The <orasp:signed-parts> element defines the message parts that are signed.
The <orasp:signed-parts> element contains one or more of the following subelements:
C.68 orasp:username-token Element
The <orasp:username-token> element configures the SAML token.
C.68.1 orasp:username-token Element Attributes
The following table summarizes the attributes of the <orasp:username-token> element.
Table C-22 Attributes of <orasp:username-token> Element
Attribute | Description |
---|---|
add-created |
Flag that specifies whether a time stamp for the creation of the username token is required. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate. |
add-nonce |
Flag that specifies whether a nonce must be included with the username to prevent replay attacks. Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate. |
is-encrypted |
Flag that specifies whether the username is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the username is signed. Valid values include true or false. |
password-type |
Type of password required. Valid values are:
|
C.69 orasp:x509-token Element
The <orasp:x509-token> element defines the x.509 digital certificate.
C.69.1 orasp:x509-token Element Attributes
The following table summarizes the attributes of the <orasp:x509-token> element.
Table C-23 Attributes of <orasp:x509-token> Element
Attribute | Description |
---|---|
sign-key-ref-mech |
Mechanism used when signing the request. Valid values include:
|
enc-key-ref-mech |
Mechanism used when encrypting the request. Valid values are the same as for Sign Key Reference Mechanism above. |
rcpt-sign-key-ref-mech |
Mechanism used when signing the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
rcpt-enc-key-ref-mech |
Mechanism used when encrypting the receipt. Valid values are the same as for Sign Key Reference Mechanism above. |
is-encrypted |
Flag that specifies whether the assertion is encrypted. Valid values include true or false. |
is-signed |
Flag that specifies whether the assertion is signed. Valid values include true or false. |
use-pkipath |
Flag that specifies whether X509PKIPathV1 tokens should be processed and propagated. Valid values include true or false. |