Managing module chains
A module chain defines a WS-Trust endpoint. It contains a reference to a template and the properties for all modules within that template.
About this task
You can define the following fields for a module chain:
The following fields are available on the Overview tab:
- Name
- Name of the module chain. This field is required.
- Description
- Description of the module chain. This field is required.
- Template
- The template that is referenced by this module chain.
The following fields are available on the Lookup tab:
- Request Type
- The type of request to associate with this chain. The request is one of the types that are
supported by the WS-Trust specification.
- Issue
- Issue a new token, based on information that is obtained from the request.
- Renew
- Renew an expired token.
- Validate
- Validate the specified security token and return the requested result.
- Cancel
- Cancels a previously issued token so that it is no longer used.
- Key Exchange
- Transfer of a new key for use by the receiver of the request.
- Other
- A custom request type.
- URI
- A Uniform Resource Indicator for each request type. This field is read-only except when you select Other as the request type. For the Other type, enter the URI for your custom request type.
- Lookup Type
-
- XPath
- Select this option to enable a text field that can be used to define a custom lookup rule. Use XML Path Language to define the rule.
- Traditional WS-Trust Elements
- Specifies that the trust service uses the values in the request for Applies
To, Issuer, and Token Type as input to
determine which trust service module chain to call.
Select this option to show the data entry fields for Applies To, Issuer, and Token Type.
You must provide a value for at least one of the following fields for the Traditional WS-Trust Elements:
- Issuer address
- Applies To address
- Token Type selected, where value is not None
Or, if you do not specify one of the above options, then you must select the XPath option, plus a specified XPath.
Note: If you supply values for all of the parameters, including the XPath, then the Issuer, Applies To, and Token Type values take priority over XPath in the runtime.- Applies To
-
Defines the scope of the token.
- Address
- The address of the service that is being requested. For example:
http://sp.example.com:9080/TrustServer/SecurityTokenService
You can use the asterisk (*) wildcard character at the end of a string. For example,
token*
matches all strings that start withtoken
.You can also use regular expressions in the format of
REGEXP:(regular_expression_here)
. For example,REGEXP:(.*/application.*)
matches any string that contains/application
.When you specify the scope for single sign-on protocols, this URI is sufficient information for identifying the issuer.
- Service Name
- A qualified name (QName) that includes a namespace URI and a local part for the Web service.
Note: A QName is a term that is defined in XML specifications. A QName consists of a namespace URI plus a local part.
For example:
http://sp.example.com
:SecurityTokenService
Note: The Service Name field provides a colon (:) to separate the namespace URI from the local part.This field is typically not used for single sign-on protocols, but can be used for Web services security management.
- Port Type
- Web services operations are grouped by port type. Use this field when there are more than one
Web services port types to specify.
For example, a stock market data service might provide both a stock quoting service and a stock price history service. Use this field to specify the needed Web service.
http://sp.example.com
:RequestSecurityTokenPort
The port type is also a QName.Note: The Port Type field provides a colon (:) to separate the namespace URI from the local part.This field is typically not used for single sign-on protocols, but can be used for Web services security management.
- Issuer
-
- Address
- The URL for the company or enterprise that issued the token. For example:
example.com
You can use the asterisk (*) wildcard character at the end of a string. For example,
token*
matches all strings that start withtoken
.You can also use regular expressions in the format of
REGEXP:(regular_expression_here)
. For example,REGEXP:(.*/application.*)
matches any string that contains/application
.When you specify the scope for single sign-on protocols, this provider ID is sufficient information for identifying the issuer.
- Service Name
- A qualified name (QName) that includes a namespace URI and a local part for the Web service.
Note: A QName is a term that is defined in XML specifications. A QName consists of a namespace URI plus a local part.
For example:
http://idp.example.com
:myWebService
Note: The Service Name field provides a colon (:) to separate the namespace URI from the local part.This field is typically not used for single sign-on protocols, but can be used for Web services security management.
- Port Type
- Web services operations are grouped by port type. Use this field when there is more than one Web
service port type to specify.
For example, a stock market data service might provide both a stock quoting service and a stock price history service. Use this field to specify the needed Web service.
http://idp.example.com
:getQuotePortType
The port type is also a QName.Note: The Port Type field provides a colon (:) to separate the namespace URI from the local part.This field is typically not used for single sign-on protocols, but can be used for Web services security management.
- Token Type
- Defines the STS module type. Select a type to map a request message to an STS chain. Select a type other than None for it to be part of the runtime flow.
- URI
- A Uniform Resource Indicator for each token type. This field is read-only except when you select Other as the token type. For the Other type, enter the URI for your custom token type.
The following fields are available on the Security tab.
- Validate Requests
- Select to require a signature on the SOAP Body element that contains the RequestSecurityToken
messages. When you select this option, your Trust Service client must use their private key to sign
the body of the SOAP messages in accordance with the Web Services Security SOAP Message Security 1.1
specification.
Select the public key that was provided by the client to validate the signature on the message.
- Certificate Database
- Specify the database where the certificate is stored.
- Certificate Label
- Specify the name of the certificate to use for validation.
- Send Validation Confirmation
- Send signature validation confirmation. When you select this option, the Trust Server includes a SignatureValidationConfirmation element in the Security header in accordance with the Web Services Security SOAP Message Security 1.1 specification.
- Sign Responses
- Select to sign the Trust Server SOAP response messages. When you select this option, the Trust
server uses the private key you select to sign the body of the SOAP response messages in accordance
with the Web Services Security SOAP Message Security 1.1 specification.
Provide the corresponding public key to your client so that they can validate the signature on the message.
- Certificate Database
- Specify the database where the certificate is stored.
- Certificate Label
- Specify the name of the certificate to use for validation.
- Include
- Determine which elements to include in the digital signature for a Trust Server
SOAP response message.
- Public Key
- Specify whether to include the public key with your signature.
- Subject Key Identifier
- Specify whether to include the X.509 subject key identifier with your signature.
- Subject Name
- Specify whether to include the subject name with your signature.
- Certificate Data
- Specify whether to include the BASE64 encoded certificate data with your signature.
- Issuer Details
- Specify whether to include the issuer name and the certificate serial number with your signature.
The Properties tab contains the properties for all modules within the template. Properties for each module can be viewed and updated by selecting the module on the Template Contents list.