Set the
tokenRequest
binding option
to the value,
issueByWSCredential
, in the
bindings.xml file.
Using this method, the self-issued SAML token is always based on the
WSCredential
even
if there is a SAML token in the subject.
The new SAML 1.1 token
contains the following assertions:
- The
NameIdentifier
element contains the SecurityName
value
from WSCredential
with the NameQualifier
element
set to the realm name from WSCredential
. The SecurityName
is
obtained by calling the WSCredential.getSecurityName()
method.
The realm name is obtained by calling the WSCredential.getRealmName()
method.
- All attributes have an
AttributeNamespace
set
to com.ibm.websphere.security.cred.WSCredential
as
the value.
- The
GroupIds
attribute contains all group names
that a user belongs to. The group names are obtained by calling the WSCredential.getGroupIds()
method.
- The
UniqueSecurityName
attribute contains the
unique security name, which is obtained by calling the WSCredential.getUniqueSecurityName()
method.
- Optionally, you can assert the realm name from
WSCredential
by
adding the includeRealmName=true
custom property
in the callback handler.
The new SAML 2.0 token contains the following assertions:
- The
NameID
element contains the SecurityName
value
from WSCredential
with the NameQualifier
element
set to the realm name from WSCredential
. The SecurityName
is
obtained by calling the WSCredential.getSecurityName()
method.
The realm name is obtained by calling the WSCredential.getRealmName()
method.
- All attributes have a
NameFormat
set to com.ibm.websphere.security.cred.WSCredential
as
the value.
- The
GroupIds
attribute contains all group names
that a user belongs to. The group names are obtained by calling the WSCredential.getGroupIds()
method.
- The
UniqueSecurityName
attribute contains the
unique security name, which is obtained by calling the WSCredential.getUniqueSecurityName()
method.
- Optionally, you can assert the realm name from
WSCredential
by
adding the includeRealmName=true
custom property
in the callback handler.
The following limitation applies to the
bindings.xml file
when you use the propagation method:
- Do not set the
stsURI
binding option in the bindings.xml file.
Perform these steps to set the correct value for the
tokenRequest
binding
option. This procedure assumes that a Web services client application named
JaxWSServicesSamples
is deployed, and that the
Saml Bearer Client
sample
binding is attached.
- Click Applications > Application types > WebSphere enterprise Applications >
JaxWSServicesSamples > Service client policy sets and bindings > Saml
Bearer Client sample > WS-Security > Authentication and protection.
- Click gen_saml11token in the Authentication tokens table.
- Click Callback handler.
- Add the
tokenRequest
custom property and set the property value to
issueByWSCredential
.
The following example illustrates the
NameIdentifier
and
Attribute
statement from a self-issued SAML 1.1 assertion based on
WSCredential
.
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier NameQualifier="ldap.acme.com:9080">uid=alice,dc=acme,dc=com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="UniqueSecurityName" AttributeNamespace="com.ibm.websphere.security.cred.WSCredential">
<saml:AttributeValue>uid=alice,dc=acme,dc=com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="GroupIds" AttributeNamespace="com.ibm.websphere.security.cred.WSCredential">
<saml:AttributeValue>cn=development,dc=acme,dc=com</saml:AttributeValue>
<saml:AttributeValue>cn=deployment,dc=acme,dc=com</saml:AttributeValue>
<saml:AttributeValue>cn=test,dc=acme,dc=com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
The following example illustrates the
NameID
and
Attribute
statement from a self-issued SAML 2.0 assertion based on
WSCredential
.
<saml2:AttributeStatement>
<saml2:Attribute Name="UniqueSecurityName"
NameFormat="com.ibm.websphere.security.cred.WSCredential">
<saml2:AttributeValue>uid=alice,dc=acme,dc=com</saml2:AttributeValue>
<saml2:Attribute>
<saml2:Attribute AttributeName="GroupIds"
NameFormat="com.ibm.websphere.security.cred.WSCredential">
<saml2:AttributeValue>cn=development,dc=acme,dc=com</saml2:AttributeValue>
<saml2:AttributeValue>cn=deployment,dc=acme,dc=com</saml2:AttributeValue>
<saml2:AttributeValue>cn=test,dc=acme,dc=com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:NameID NameQualifier="ldap.acme.com:9060">alice</saml2:NameID>