Syntax:
com.ibi.agents.XDInsertSAMLAssertionAgent
Description:
This service is used to generate a WSSE SecurityTokenReference containing an embedded SAML assertion.
Parameters:
The following table lists and describes the parameters for the Insert SAML Assertion service.
Parameter Name | Description |
---|---|
XML Namespace Provider | Provider for the mapping between XML namespace prefix and namespace URI. If left blank, elements in the security token will use the default namespace. |
XPath Version | Determines which implementation of XPath should be used. You can select the iWay implementation of XPath, an external XPath implementation, or the default. The default option selects the XPath implementation that is specified in the General Settings area of the iSM Administration Console. |
Create Parent Element | Determines whether the parent element is created if it is missing. Select true or false (default) from the drop-down list. |
Security Token Parent Element | Path to the element where the security token reference will be inserted. The default value is: /soapenv:Envelope/soapenv:Header/wsse:Security If the Create Parent Element parameter is set to true, then the expression must adhere to Restricted XPath syntax, otherwise the expression may adhere to the full syntax of the XPath engine selected by the XPath Version parameter. Restricted XPath has the form /step1/step2/... where a step has the form ns:elem[predicate] or a pair of consecutive steps that has the form *[1]/self::ns:elem[predicate] to indicate the element must be the first child of its parent. The namespace prefixes are optional, but if present they must be declared in the XML Namespace provider. The predicate is optional, but when present it has the form [@ns1:attr1='val1' and @ns2:attr2='val2' and ...]. If no element matches the Restricted XPath expression and the Create Parent Element parameter is set to true, then the necessary elements and attributes will be created such that the expression would match successfully. |
WSSE Security Token Reference Id | The value of the SecurityTokenReference ID Attribute. Subsequent services can retrieve this value in the saml_token_id special register. |
SAML Assertion Id | The value of the SAML Assertion ID Attribute. Subsequent services can retrieve this value in the saml_assertion_id special register. |
SAML Issue Instant | The value of the SAML IssueInstant attribute. Subsequent services can retrieve this value in the saml_issue_instant special register. |
SAML Issuer | The value of the SAML Issuer attribute. |
SAML Major Version | The value of the SAML MajorVersion attribute. The default value is 1. |
SAML Minor Version | The value of the SAML MinorVersion attribute. The default value is 1. |
SAML Authentication Instant | The value of the SAML AuthenticationInstant attribute. |
SAML Authentication Method | The value of the SAML AuthenticationMethod attribute. |
SAML Name Identifier Format | The value of the SAML NameIdentifier Format attribute. |
SAML Name Identifier | The value of the SAML NameIdentifier element. |
SAML Subject Confirmation Method | The value of the SAML ConfirmationMethod element. |
Edges:
The following table lists and describes the edges that are returned by the Insert SAML Assertion service.
Edge | Description |
---|---|
success | The SAML assertion was successfully inserted. |
fail_parse | An iFL or XPath expression could not be evaluated. |
fail_operation | The SAML assertion could not be inserted. |
The location where to insert the Security Token Reference is given by an XPath expression specified in the Security Token Parent Element. The XPath expression can contain namespace prefixes if the optional XML Namespace Map Provider is specified. When the Create Parent Element parameter is true, the parent element will be created if needed, but the XPath expression must adhere to the Restricted XPath syntax. When the Create parent Element parameter is false, the parent element must exist but the expression may adhere to the full syntax of the XPath engine selected by the XPath Version parameter. The optional WSSE Security Token Reference Id parameter is used to generate a wsu:Id attribute on the wsse:SecurityTokenReference element. The Id is saved in the saml_token_id special register. This can be used to refer to the security token in an XML Digital Signature Reference using the URL expression #_sreg(saml_token_id).
The required SAML Assertion Id is used to generate a saml:AssertionId attribute on the saml:Assertion element. The Assertion Id is saved in the saml_assertion_id special register for later reference. The required SAML Issue Instant is used to generate a saml:IssueInstant attribute on the saml:Assertion element. The issue instance is saved in the saml_issue_instant special register. As per the SAML schema, the following parameters are all required: SAML Issuer, SAML Major Version, SAML Minor Version, SAML Authentication Instant, SAML Authentication Method, SAML Name Identifier Format, SAML Name Identifier, and SAML Subject Confirmation Method. The Major and Minor Versions both default to 1.
The following sample shows a SAML Assertion created by the service. The following table lists the parameter values that were used.
Parameter Name | Value |
---|---|
XML Namespace Provider | |
XPath Version | default |
Create Parent Element | true |
Security Token Parent Element | |
WSSE Security Token Reference Id | tokenid |
SAML Assertion Id | _a75adf55-01d7-40cc-929f-dbd8372ebdfc |
SAML Issue Instant | 2007-02-26T10:11:11Z |
SAML Issuer | urn:tokenIssuer:sms:com |
SAML Major Version | 1 |
SAML Minor Version | 1 |
SAML Authentication Instant | 2007-02-26T10:11:00Z |
SAML Authentication Method | urn:oasis:names:tc:SAML:1.0:am:X509-PKI |
SAML Name Identifier Format | urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName |
SAML Name Identifier | CN=Client gateway,O=Some client,C=GB |
SAML Subject Confirmation Method | urn:oasis:names:tc:SAML:1.1:cm:sender-vouches |
A sample input document is shown as follows (indented for display purposes only):
The resulting document shows the addition of the WSSE SecurityTokenReference in the SOAP header block (indented for display purposes only):
iWay Software |