Require WS-Security Signature Credentials Assertion
The Require WS-Security Signature Credentials assertion allows you to require that the web service or XML application target message:
Require WS-Security Signature Credentialsassertion allows you to require that the web service or XML application target message:
- Includes an X.509 BinarySecurityToken containing a client certificate
- Has at least one element signed by that client certificate's private key as a proof of possession of the private key for the client certificate.
The Require WS-Security Signature Credentials assertion is a credential source that saves the certificate from the X.509 BinarySecurityToken for later authorization via the Authenticate User or Group or Authenticate Against Identity Provider assertions. This assertion can be used in tandem with the Protect Against Message Replay, Sign Element, and Encrypt Element assertions.
The Require WS-Security Signature Credentials assertion supports version 1.0 of the WS-Security standard. The Gateway creates and uses X.509 v3 certificates.
The Require WS-Security Signature Credentials assertion, by itself, does not require that the request message contain a timestamp, and does not check the validity of any timestamp that might be present. To protect against stale or replayed messages, use the Require WS-Security Signature Credentials assertion with the Protect Against Message Replay Assertion.
To learn about selecting the target message for this assertion, see Select a Target Message.
To learn more about changing the WSS Recipient for this assertion, see Change the WSS Assertion Recipient.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Adding an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- Right-clickin the policy window and select<target>:Require WS-Security Signature CredentialsWS-Security Signature Propertiesor double-click the assertion in the policy window.
- Configure the properties as follows:WS-Security Signature settings:SettingDescriptionAllow multiple signaturesSelect this check box to permit multiple signatures in a policy.Clear the check box to disallow multiple signatures. If this check box is not selected and multiple signatures are present, then the assertion will fail.For more information, see Multiple X.509 Signatures in Policies.Signature Element VariableTo pick a particular signature to use with an authentication, ensure that an XPath assertion (for example, Sign Element, Encrypt Element) has been used to set a context variable to restrict the processed signatures. Then enter the context variable in theSignature Element Variablefield.The following is a simple example of an XPath expression containing signature information in the header:/soapenv:Envelope/soapenv:Header/wsse:Security/ds:SignatureThe ".element" variable is not compatible with the Require WS-Security Signature Credentials assertion; use the ".elements" variable instead. For more information about the XPath context variables, see the Evaluate Request XPath and Evaluate Response XPath assertions.Signature Reference Element VariableEnter a context variable that will be used to select the signature by (one or more) elements that it signs. This variable may be used in addition to theSignature Element Variable.The Signature Element Variable identifies the set of acceptable signatures (which is all signatures in the message if the variable is not set). TheSignature Reference Element Variablefurther restricts that set of signatures to ones that have signed the desired elements (if the variable is set previously using XPath assertions).Specifying a Signature Reference Element Variable is not validating the signature reference—it is only for signature selection. The Require Signed Element assertion is still required to verify that the correct message parts are signed.
- Click [OK]