Topic
1 reply Latest Post - ‏2013-03-09T08:55:30Z by SystemAdmin
gllambi
gllambi
19 Posts
ACCEPTED ANSWER

Pinned topic WS-Sec Actor/Role Identifier not validated?

‏2012-10-30T01:59:02Z |
Hi guys!

We have a AAA policy with SAML tokens in a WS-Security header and we want to add a Username token in another WS-Security header. When we send this message to datapower, it sends an error that you cannot put two WS-Security headers without specifying a role. We added a role/soap actor in the AAA policy (field WS-Sec Actor/Role Identifier) and it worked fine, but unfortunatelly we found that worked with any value we put in the actor property of the WS-Security header.

Do datapower check that the WS-Sec Actor/Role Identifier in the message has the same value as the field WS-Sec Actor/Role Identifier of the AAA policy?

thanks in advance!

Regards!
Guzmán
Updated on 2013-03-09T08:55:30Z at 2013-03-09T08:55:30Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    6772 Posts
    ACCEPTED ANSWER

    Re: WS-Sec Actor/Role Identifier not validated?

    ‏2013-03-09T08:55:30Z  in response to gllambi
    Hi,

    Pleae make sure that you provided parameters in below specified format.
    identifier
    Specifies the assumed S11:actor or S12:role. Some well-known values are:

    http://schemas.xmlsoap.org/soap/actor/next
    Every one, including the intermediary and ultimate receiver, receives the message should be able to processing the Security header.
    http://www.w3.org/2003/05/soap-envelope/role/none
    No one should process the Security Header.
    http://www.w3.org/2003/05/soap-envelope/role/next
    Every one, including the intermediary and ultimate receiver, receives the message should be able to processing the Security header.
    http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver
    The message ultimate receiver can process the Security header.
    No value (empty string)
    (Default) The empty string (without quotes) indicates that no "actor/role" identifier is configured. With a configured actor/role, the ultimate Receiver is assumed when processing the message, and no actor/role attribute will be added when generating the WS-Security Security header. Note that there should not be more than one Security headers omitting the actor/role identifier.
    USE_MESSAGE_BASE_URI
    The actor/role identifier will be the base URL of the message, if the SOAP message is transported using HTTP, the base URI is the Request-URI of the HTTP request.
    A string value
    Any string to identify the actor or role of the Security header.

    Guidelines

    If a value is specified for the WS-Security S11:actor or S12:role identifier, the AAA action will act as the assumed actor or role when it consumes the Security headers. This setting takes effect only when the AAA policy attempts to process the incoming message before making an authorization decision.

    The Post Processing phase will not use the assumed actor or role, but will use its own setting in generating the message for the next SOAP node.