You require to configure Web service providers to accept tokens issued by an STS. The Web service provider uses an IssuedToken policy for the same. The IssuedToken policy is wrapped in WSDL. For a sample policy, see Section 9.5.6, A Sample WS-Policy for Web Service Providers.
Configuring a service provider includes adding a service provider domain and then adding a service provider in a configured domain. Access Manager also allows you to modify and delete configured service provider domains and service providers.
In the Administration Console, click Devices > Identity Servers > Edit > WS-Trust > Service Provider Domain.
Click New > General to create a general domain. Selecting New > Office 365 creates an Office 365 domain that can be configured for active authentication. For details on creating an Office 365 domain, see Configuring an Office 365 Domain By Using WS-Trust Protocol
Specify the following details:
Name: Specify a name for the domain.
WS-Trust Operations: Select operations in Available operations that WS-Trust STS performs for tokens and move these to Selected operations.
The available operations are Issue, Validate, OnBehalfOf, ActAs and Renew.
If you select OnBehalfOf and Act As the Available operations, additional configuration is required. For more information, see Adding Policy for ActAs and OnBehalfOf
Click Finish. Continue with creation of a trusted Service Provider. For more information, see Adding Web Service Providers
This section discusses how to add service providers for WS-Trust STS. Adding a service provider includes adding service provider EndPoint URL, configuring trust certificates, selecting token types, and customizing attributes.
Perform the following steps:
In the Administration Console, click Devices > Identity Servers > Edit > WS-Trust > Service Provider Domain.
Select the domain under which you want to configure a service provider.
Click Service Provider > New.
Specify the following details:
Name: Specify a name for the service provider.
Endpoint: Specify the SOAP endpoint location at the service provider to which SOAP messages are sent.
Token Type: Select the type of token that the service provider will accept or validate.
Encrypt Proof Token Using: Import a certificate from the file system or paste content of the certificate here. This certificate should be configured in the Web service provider and is used for creating the subject confirmation in the SAML token.
Click Finish.
Select the Service Provider to define the Attributes and Authentication Response. For more information, see Section 9.5.5, Modifying Service Providers
By default, ActAs and OnBehalfOf requests are disabled in the Access Manager Identity Server. To enable delegation and impersonation, you must enable ActAs and OnBehalfOf by performing the following steps:
Go to WS-Trust > Service Provider Domain.
Click the service provider domain name for which you want to enable ActAs and OnBehalfOf operations.
Under WS Trust Operations, select ActAs and OnBehalfOf in Available operations and move to Selected operations.
Click OK.
These operations are restricted to a set of privileged user accounts defined in the policy. You need to configure the allowed user accounts, who can perform ActAs and OnBehalfOf operations, in the nidconfig.properties file of each Identity Server installation. For more information, see Adding Policy for ActAs and OnBehalfOf
For ActAs, the username on behalf of whom a client requests for a token must be present in the user store (eDirectory). The default implementation checks for this user only in the default user store. If you want to search the user in a different user store, perform the following steps:
In the Administration Console, click Devices > Identity Server > Edit > Local > Classes.
Click New and specify the following details:
Display name: Specify Find_By_Username
Java class: Select Other
Java class path: Specify com.novell.nidp.authentication.local.UserNameAuthenticationClass
Click Next > Finish.
Go to Local > Methods.
Click New and select the Find_By_Username class.
For more information about how to configure an authentication method, see Section 3.3, Configuring Authentication Methods.
Go to WS-Trust > STS Configuration. Move this authentication method in the Selected Authentication Methods from Available Authentication Methods.
You must add an policy to allow ActAs and OnBehalfOf operations. The default policy looks for a configuration of allowed user names from the nidpconfig.properties file. Allowed usernames are the user accounts that the intermediate Web service provider uses to authenticate with STS when sending a request with ActAs or OnBehalfOf elements.For ActAs and OnBehalfOf, you must specify multiple username values separated with comma. If no value is specified, ActAs and OnBehalfOf are denied.
The nidpconfig.properties file is located in the following location:
Linux: /opt/novell/nids/lib/webapp/WEB-INF/classes.
Windows: C:\Program Files (x86)\Novell\Tomcat\webapps\nidp\WEB-INF\classes
Enable the following attribute by removing the pound (#) symbol from it for allowing ActAs:
WSTRUST_AUTHORIZATION_ALLOWED_ACTAS_VALUES=alice,admin
Enable the following name-value pair by removing the pound (#) symbol from it for allowing OnBehalfOf:
WSTRUST_AUTHORIZATION_ALLOWED_ONBEHALF_VALUES=bob,admin
To simplify parameters, you can define only the following parameter:
WSTRUST_AUTHORIZATION_ALLOWED_VALUES=alice,admin
These users can perform both Actas and onBehalfOf operations.
After editing the file, restart the Identity Server by running the following command:
Linux: /etc/init.d/novell-idp restart
Windows: net stop Tomcat7
net start Tomcat7
After upgrading Access manager, the configuration is set to default values. You must reconfigure the details after each upgrade.
The WS-Trust page allows you to create, modify, and delete service provider domains. This page lists all configured service provider domains.
In the Administration Console, click Devices > Identity Servers > Edit > WS-Trust > Service Provider Domains.
The list of all configured service provider domains is displayed.
Select one of the following actions:
New: Select New > General to create a general domain. Selecting New > Office 365 creates a domain that can be configured for single sign-on to Office 365 services. For more on creating Office 365 domain, see Section 9.5.1, Adding a Domain and Assigning WS-Trust Operations.
Delete: Deletes the selected service provider domain.
Click OK, then update the Identity Server.
Select the Service Provider domain to modify the following details:
Name: Modify the name of the service provider domain.
WS Trust Operations: Modify the list of selected WS-Trust operations.
Click OK.
Access Manager allows you to you to create, modify, and delete trusted service providers. The Service Providers page lists all configured service provider.
In the Administration Console, click Devices > Identity Servers > Edit > WS-Trust> Service Provider Domains> [name of the service provider domain] > Service Providers.
The list of all configured service provider for the selected domain is displayed.
Select one of the following actions:
New: Launches the Create a Service Provider page. For more information, see Section 9.5.2, Adding Web Service Providers.
Delete: Deletes the selected service providers.
Click OK.
In the Administration Console, click Devices > Identity Servers > Edit > WS-Trust> Service Provider Domains> [name of the service provider domain] > Service Providers.
The list of all configured service provider for the selected domain is displayed.
Click the name of the service provider you want to edit.
Configuration > Trust
You can modify the following details:
Name
Endpoint
Token Type
Encrypt Proof Token Using
For more information about these fields, see Section 9.5.2, Adding Web Service Providers.
Configuration > Attributes
Select the Attribute Set and move attributes from the Available list to the Send with Authentication pane. This indicates the attributes that you want sent in an assertion to the service provider.
Configuration > Authentication Response
Specify a value for the name identifier.
The persistent and transient formats are generated automatically. For the others, you can select an attribute. The available attributes depend upon the attributes that you have selected to send with authentication (see Configuring the Attributes Obtained at Authentication). If you do not select a value for the E-mail, Kerberos, X509, or Unspecified format, a unique value is automatically generated.
IMPORTANT:In Access Manager 4.0 SP1, the SAML tokens with Name Identifier value other than username do not support ActAs, OnBehalfOf and SAML authentication operations.
Click Apply.
You should modify WSDL of a Web service provider to include IssuedTokenPolicy that points to Access Manager WS-Trust STS. To modify WSDL, you require to add a WS-Policy with IssuedTokenElement. The following is a sample configuration:
<wsp:Policy wsu:Id="<policy_name>">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" wsp:Optional="false"/>
<sc:KeyStore wspp:visibility="private" alias="xws-security-server"/>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<t:KeySize>256</t:KeySize>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
<sp:Issuer>
<wsaws:Address>https://namtest.com:8443/nidp/wstrust/sts</wsaws:Address>
<wsaws:Metadata>
<wsx:Metadata>
<wsx:MetadataSection>
<wsx:MetadataReference>
<wsaws:Address>https://namtest.com:8443/nidp/wstrust/sts/mex</wsaws:Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
</wsx:Metadata>
</wsaws:Metadata>
</sp:Issuer>
</sp:IssuedToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>