SOAP STS Configuration Properties

Deployment Url Element

Specifies a string that identifies this SOAP STS instance.

The Deployment Url Element is a component of the SOAP STS instance's endpoint. For example, if you specified mySOAPSTSInstance as the Deployment Url Element, the SOAP STS endpoint would be /SOAP STS .war File NamemyRealm/mySOAPSTSInstance.

General Configuration Properties

The following are general configuration properties for SOAP STS instances:

Persist Issued Tokens in Core Token Store

Specifies whether to enable token persistence in the Core Token Service (CTS).

AM saves all STS-issued tokens to CTS when token persistence is enabled. A token's lifetime in CTS has the same length as the Token Lifetime property specified for issued tokens.

STS token validation and cancellation capabilities require tokens to be present in CTS. Therefore, if your deployment requires token validation and cancellation, you must enable token persistence.

Issued Tokens

Specifies the types of tokens that this SOAP STS instance issues as output tokens for token transformations.

Security Policy Validated Token

Specifies the SupportingToken type in the WS-SecurityPolicy bindings in the SOAP STS deployment's WSDL, and whether the AM session created during token transformation should be invalidated after the token is issued.

Deployment Configuration Properties

The following are deployment configuration properties for SOAP STS instances:

Authentication Target Mappings

Specifies one or more mappings that define how the SOAP STS instance should authenticate input tokens.

Each mapping is a set of arguments separated by the | character as follows:

  1. (Required) The input token type: USERNAME, OPENAM, or X509.

  2. (Required) The value service or module. If the third argument is an authentication chain, specify service. If the third argument is an authentication module, specify module.

  3. (Required) The name of an AM authentication chain or module to which the input token is authenticated.

  4. (Optional) The name of the header in which to place the token when authenticating to AM. For X509 input tokens, the format is x509_token_auth_target_header_key=Header Name.

    Be sure to specify the header name configured in the Certificate authentication module properties as the Header Name argument.

The following are example mappings:

  • USERNAME|service|myLDAPChain configures STS to authenticate input USERNAME tokens to the myLDAPChain authentication chain.

  • X509|module|CertModule|x509_token_auth_target_header_key=ClientCert configures STS to obtain an X.509 certificate from the ClientCert header, use it as the input token, and authenticate it using the CertModule authentication module.

OpenAM URL

Specifies the AM URL. For example, https://openam.example.com:8443/openam.

Wsdl File Referencing Security Policy Binding Selection

Specifies a supporting token type and security policy binding to protect the SOAP STS instance. This choice will determine the SecurityPolicy bindings in the wsdl file defining the WS-Trust API.

If you select the Custom wsdl file option, you must provide the path to a custom WSDL file in the Custom wsdl File property.

Custom wsdl File

Specifies the path to a custom WSDL file that defines the WS-Trust API.

Custom Service QName

Specifies the name attribute of the wsdl:service element. Configure this property when using a custom WSDL file.

Custom Port QName

Specifies the name attribute of the wsdl:port element. Configure this property when using a custom WSDL file.

Delegation Relationships Supported

Enable this option if the request security token messages can include wst14:ActAs or wst:OnBehalfOf parameters. Note that you must enable this option if the SOAP STS instance issues SAML v2.0 assertions with SenderVouches subject confirmations.

Delegated Token Types

Specifies the types of validation support to enable in the SOAP STS instance for USERNAME and OPENAM tokens in wst14:ActAs or wst:OnBehalfOf parameters specified in request security token messages.

If the SOAP STS instance supports delegated relationships, configure either the Delegated Token Types property or the Custom Delegation Handlers property, but not both properties.

Custom Delegation Handlers

Specifies custom handlers that implement the org.apache.cxf.sts.token.delegation.TokenDelegationHandler interface. The handlers provide validation support for the tokens in wst14:ActAs or wst:OnBehalfOf parameters specified in request security token messages. Custom delegation handlers are typically used when the tokens are custom tokens.

If the SOAP STS instance supports delegated relationships, configure either the Delegated Token Types property or the Custom Delegation Handlers property, but not both properties.

SOAP Keystore Configuration Properties

The following are SOAP keystore configuration properties for SOAP STS instances:

Soap Keystore Location

Specifies the path to a JKS keystore containing keys for signing and encryption when using the symmetric and asymmetric bindings with SOAP messaging. Specify an absolute path or a location in the AM classpath.

Note that the Wsdl File Referencing Security Policy Binding Selection property determines the binding for a SOAP STS instance.

AM provides a JKS keystore with demo keys, /path/to/openam/security/keystores/keystore.jks. For more information about keystores in AM, see Configuring Secrets, Certificates, and Keys.

Keystore Password

Specifies the password used to decrypt the keystore.

Signature Key Alias

Specifies the key alias in the keystore used to sign messages from this SOAP STS instance. You must configure this property when using asymmetric binding.

Signature Key Password

Specifies the password for the signature key.

Decryption Key Alias

Specifies the key alias in the keystore used by this SOAP STS instance to decrypt client messages for the asymmetric binding, and to decrypt the client-generated symmetric key for the symmetric binding.

Decryption Key Password

Specifies the password for the decryption key.

Read a different version of :