Require WS-Secure Conversation Assertion

The Require WS-Secure Conversation assertion allows you to require that request and response messages be secured using a secure conversation session. Specifically, messages must:
gateway83
The
Require WS-Secure Conversation
assertion allows you to require that request and response messages be secured using a secure conversation session. Specifically, messages must:
  • Include a "SecurityContextToken" referencing an already-established WS-Secure Conversation session
  • Include at least one element signed with the shared secret from this session as proof of possession of the session shared secret
The Require WS-Secure Conversation assertion is a credential source that saves the user that owns the session for later authorization via the Authenticate User or Group Assertion. This assertion can be used in tandem with the Protect Against Message Replay, Sign Element, and Encrypt Element assertions.
Some more information about using WS-Secure Conversation on the Gateway:
  • The Require WS-Secure Conversation assertion, by itself, does not require that the request message contain a timestamp, and does not check the validity of any time stamp that might be present. To protect against stale or replayed messages, use the Require WS-Secure Conversation assertion with the Protect Against Message Replay Assertion.
  • This assertion may behave unexpectedly if there are two users in different identity providers, with both recognizing the same certificate credentials.
  • To enable persistence for WS-Secure Conversation sessions, set the cluster property 
    wss.secureConversation.clusterSessions
    to "true". This will allow WSSC sessions to be shared between cluster nodes.
  • Federated virtual users are not compatible with secure conversation. For more information on virtual users, see Federated Identity Provider Users and Groups.
Context Variable Created by This Assertion
When the Require WS-Secure Conversation assertion is used, it creates the following context variable that contains the secure conversation context in the inbound request message:
inboundSC.session
To access the session ID, use
${inboundSC.session.id}
.
Using the Assertion
  • Add the assertion to the policy development window as described in Adding an Assertion.
The assertion is added to the policy window; no further configuration is required.