Insert SAML Assertion Service

Syntax:

com.ibi.agents.XDInsertSAMLAssertionAgent

Description:

This service is used to generate a WSSE SecurityTokenReference containing an embedded SAML assertion.

Parameters:

The following table lists and describes the parameters for the Insert SAML Assertion service.

Parameter Name	Description
XML Namespace Provider	Provider for the mapping between XML namespace prefix and namespace URI. If left blank, elements in the security token will use the default namespace.
XPath Version	Determines which implementation of XPath should be used. You can select the iWay implementation of XPath, an external XPath implementation, or the default. The default option selects the XPath implementation that is specified in the General Settings area of the iSM Administration Console.
Create Parent Element	Determines whether the parent element is created if it is missing. Select true or false (default) from the drop-down list.
Security Token Parent Element	Path to the element where the security token reference will be inserted. The default value is: /soapenv:Envelope/soapenv:Header/wsse:Security If the Create Parent Element parameter is set to true, then the expression must adhere to Restricted XPath syntax, otherwise the expression may adhere to the full syntax of the XPath engine selected by the XPath Version parameter. Restricted XPath has the form /step1/step2/... where a step has the form ns:elem[predicate] or a pair of consecutive steps that has the form *[1]/self::ns:elem[predicate] to indicate the element must be the first child of its parent. The namespace prefixes are optional, but if present they must be declared in the XML Namespace provider. The predicate is optional, but when present it has the form [@ns1:attr1='val1' and @ns2:attr2='val2' and ...]. If no element matches the Restricted XPath expression and the Create Parent Element parameter is set to true, then the necessary elements and attributes will be created such that the expression would match successfully.
WSSE Security Token Reference Id	The value of the SecurityTokenReference ID Attribute. Subsequent services can retrieve this value in the saml_token_id special register.
SAML Assertion Id	The value of the SAML Assertion ID Attribute. Subsequent services can retrieve this value in the saml_assertion_id special register.
SAML Issue Instant	The value of the SAML IssueInstant attribute. Subsequent services can retrieve this value in the saml_issue_instant special register.
SAML Issuer	The value of the SAML Issuer attribute.
SAML Major Version	The value of the SAML MajorVersion attribute. The default value is 1.
SAML Minor Version	The value of the SAML MinorVersion attribute. The default value is 1.
SAML Authentication Instant	The value of the SAML AuthenticationInstant attribute.
SAML Authentication Method	The value of the SAML AuthenticationMethod attribute.
SAML Name Identifier Format	The value of the SAML NameIdentifier Format attribute.
SAML Name Identifier	The value of the SAML NameIdentifier element.
SAML Subject Confirmation Method	The value of the SAML ConfirmationMethod element.

Edges:

The following table lists and describes the edges that are returned by the Insert SAML Assertion service.

Edge
Description
success
The SAML assertion was successfully inserted.
fail_parse
An iFL or XPath expression could not be evaluated.
fail_operation
The SAML assertion could not be inserted.

Edge	Description
success	The SAML assertion was successfully inserted.
fail_parse	An iFL or XPath expression could not be evaluated.
fail_operation	The SAML assertion could not be inserted.

The location where to insert the Security Token Reference is given by an XPath expression specified in the Security Token Parent Element. The XPath expression can contain namespace prefixes if the optional XML Namespace Map Provider is specified. When the Create Parent Element parameter is true, the parent element will be created if needed, but the XPath expression must adhere to the Restricted XPath syntax. When the Create parent Element parameter is false, the parent element must exist but the expression may adhere to the full syntax of the XPath engine selected by the XPath Version parameter. The optional WSSE Security Token Reference Id parameter is used to generate a wsu:Id attribute on the wsse:SecurityTokenReference element. The Id is saved in the saml_token_id special register. This can be used to refer to the security token in an XML Digital Signature Reference using the URL expression #_sreg(saml_token_id).

The required SAML Assertion Id is used to generate a saml:AssertionId attribute on the saml:Assertion element. The Assertion Id is saved in the saml_assertion_id special register for later reference. The required SAML Issue Instant is used to generate a saml:IssueInstant attribute on the saml:Assertion element. The issue instance is saved in the saml_issue_instant special register. As per the SAML schema, the following parameters are all required: SAML Issuer, SAML Major Version, SAML Minor Version, SAML Authentication Instant, SAML Authentication Method, SAML Name Identifier Format, SAML Name Identifier, and SAML Subject Confirmation Method. The Major and Minor Versions both default to 1.

The following sample shows a SAML Assertion created by the service. The following table lists the parameter values that were used.

Parameter Name
Value
XML Namespace Provider

XPath Version
default
Create Parent Element
true
Security Token Parent Element

WSSE Security Token Reference Id
tokenid
SAML Assertion Id
_a75adf55-01d7-40cc-929f-dbd8372ebdfc
SAML Issue Instant
2007-02-26T10:11:11Z
SAML Issuer
urn:tokenIssuer:sms:com
SAML Major Version
1
SAML Minor Version
1
SAML Authentication Instant
2007-02-26T10:11:00Z
SAML Authentication Method
urn:oasis:names:tc:SAML:1.0:am:X509-PKI
SAML Name Identifier Format
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
SAML Name Identifier
CN=Client gateway,O=Some client,C=GB
SAML Subject Confirmation Method
urn:oasis:names:tc:SAML:1.1:cm:sender-vouches

Parameter Name	Value
XML Namespace Provider
XPath Version	default
Create Parent Element	true
Security Token Parent Element
WSSE Security Token Reference Id	tokenid
SAML Assertion Id	_a75adf55-01d7-40cc-929f-dbd8372ebdfc
SAML Issue Instant	2007-02-26T10:11:11Z
SAML Issuer	urn:tokenIssuer:sms:com
SAML Major Version	1
SAML Minor Version	1
SAML Authentication Instant	2007-02-26T10:11:00Z
SAML Authentication Method	urn:oasis:names:tc:SAML:1.0:am:X509-PKI
SAML Name Identifier Format	urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
SAML Name Identifier	CN=Client gateway,O=Some client,C=GB
SAML Subject Confirmation Method	urn:oasis:names:tc:SAML:1.1:cm:sender-vouches

A sample input document is shown as follows (indented for display purposes only):

The resulting document shows the addition of the WSSE SecurityTokenReference in the SOAP header block (indented for display purposes only):

iWay Software