Managing module chains

You can define the following fields for a module chain:

The following fields are available on the Overview tab:

Name

Name of the module chain. This field is required.

Description

Description of the module chain. This field is required.

Template

The template that is referenced by this module chain.

The following fields are available on the Lookup tab:

Request Type

The type of request to associate with this chain. The request is one of the types that are supported by the WS-Trust specification.

Issue

Issue a new token, based on information that is obtained from the request.

Renew

Renew an expired token.

Validate

Validate the specified security token and return the requested result.

Cancel

Cancels a previously issued token so that it is no longer used.

Key Exchange

Transfer of a new key for use by the receiver of the request.

Other

A custom request type.

URI

A Uniform Resource Indicator for each request type. This field is read-only except when you select Other as the request type. For the Other type, enter the URI for your custom request type.

Lookup Type

XPath

Select this option to enable a text field that can be used to define a custom lookup rule. Use XML Path Language to define the rule.

Traditional WS-Trust Elements

Specifies that the trust service uses the values in the request for Applies To, Issuer, and Token Type as input to determine which trust service module chain to call.

Select this option to show the data entry fields for Applies To, Issuer, and Token Type.

You must provide a value for at least one of the following fields for the Traditional WS-Trust Elements:

• Issuer address
• Applies To address
• Token Type selected, where value is not None

Or, if you do not specify one of the above options, then you must select the XPath option, plus a specified XPath.

Note: If you supply values for all of the parameters, including the XPath, then the Issuer, Applies To, and Token Type values take priority over XPath in the runtime.

Applies To

Defines the scope of the token.

Address

The address of the service that is being requested. For example:

http://sp.example.com:9080/TrustServer/SecurityTokenService

You can use the asterisk (*) wildcard character at the end of a string. For example, token* matches all strings that start with token.

You can also use regular expressions in the format of REGEXP:(regular_expression_here). For example, REGEXP:(.*/application.*) matches any string that contains /application.

When you specify the scope for single sign-on protocols, this URI is sufficient information for identifying the issuer.

Service Name

A qualified name (QName) that includes a namespace URI and a local part for the Web service.

Note: A QName is a term that is defined in XML specifications. A QName consists of a namespace URI plus a local part.

For example:

http://sp.example.com:SecurityTokenService

Note: The Service Name field provides a colon (:) to separate the namespace URI from the local part.

This field is typically not used for single sign-on protocols, but can be used for Web services security management.

Port Type

Web services operations are grouped by port type. Use this field when there are more than one Web services port types to specify.

For example, a stock market data service might provide both a stock quoting service and a stock price history service. Use this field to specify the needed Web service.

http://sp.example.com:RequestSecurityTokenPort

The port type is also a QName.

Note: The Port Type field provides a colon (:) to separate the namespace URI from the local part.

This field is typically not used for single sign-on protocols, but can be used for Web services security management.

Issuer

Address

The URL for the company or enterprise that issued the token. For example:

example.com

You can use the asterisk (*) wildcard character at the end of a string. For example, token* matches all strings that start with token.

You can also use regular expressions in the format of REGEXP:(regular_expression_here). For example, REGEXP:(.*/application.*) matches any string that contains /application.

When you specify the scope for single sign-on protocols, this provider ID is sufficient information for identifying the issuer.

Service Name

A qualified name (QName) that includes a namespace URI and a local part for the Web service.

Note: A QName is a term that is defined in XML specifications. A QName consists of a namespace URI plus a local part.

For example:

http://idp.example.com:myWebService

Note: The Service Name field provides a colon (:) to separate the namespace URI from the local part.

This field is typically not used for single sign-on protocols, but can be used for Web services security management.

Port Type

Web services operations are grouped by port type. Use this field when there is more than one Web service port type to specify.

For example, a stock market data service might provide both a stock quoting service and a stock price history service. Use this field to specify the needed Web service.

http://idp.example.com:getQuotePortType

The port type is also a QName.

Note: The Port Type field provides a colon (:) to separate the namespace URI from the local part.

This field is typically not used for single sign-on protocols, but can be used for Web services security management.

Token Type

Defines the STS module type. Select a type to map a request message to an STS chain. Select a type other than None for it to be part of the runtime flow.

URI

A Uniform Resource Indicator for each token type. This field is read-only except when you select Other as the token type. For the Other type, enter the URI for your custom token type.

The following fields are available on the Security tab.

Validate Requests

Select to require a signature on the SOAP Body element that contains the RequestSecurityToken messages. When you select this option, your Trust Service client must use their private key to sign the body of the SOAP messages in accordance with the Web Services Security SOAP Message Security 1.1 specification.

Select the public key that was provided by the client to validate the signature on the message.

Certificate Database

Specify the database where the certificate is stored.

Certificate Label

Specify the name of the certificate to use for validation.

Send Validation Confirmation

Send signature validation confirmation. When you select this option, the Trust Server includes a SignatureValidationConfirmation element in the Security header in accordance with the Web Services Security SOAP Message Security 1.1 specification.

Sign Responses

Select to sign the Trust Server SOAP response messages. When you select this option, the Trust server uses the private key you select to sign the body of the SOAP response messages in accordance with the Web Services Security SOAP Message Security 1.1 specification.

Provide the corresponding public key to your client so that they can validate the signature on the message.

Certificate Database

Specify the database where the certificate is stored.

Certificate Label

Specify the name of the certificate to use for validation.

Include

Determine which elements to include in the digital signature for a Trust Server SOAP response message.

Public Key

Specify whether to include the public key with your signature.

Subject Key Identifier

Specify whether to include the X.509 subject key identifier with your signature.

Subject Name

Specify whether to include the subject name with your signature.

Certificate Data

Specify whether to include the BASE64 encoded certificate data with your signature.

Issuer Details

Specify whether to include the issuer name and the certificate serial number with your signature.

The Properties tab contains the properties for all modules within the template. Properties for each module can be viewed and updated by selecting the module on the Template Contents list.