Require WS-Security Signature Credentials Assertion

The Require WS-Security Signature Credentials assertion allows you to require that the web service or XML application target message:
Require WS-Security Signature Credentials
assertion allows you to require that the web service or XML application target message:
  • Includes an X.509 BinarySecurityToken containing a client certificate
  • Has at least one element signed by that client certificate's private key as a proof of possession of the private key for the client certificate.
The Require WS-Security Signature Credentials assertion is a credential source that saves the certificate from the X.509 BinarySecurityToken for later authorization via the Authenticate User or Group or Authenticate Against Identity Provider assertions. This assertion can be used in tandem with the Protect Against Message Replay, Sign Element, and Encrypt Element assertions.
The Require WS-Security Signature Credentials assertion supports version 1.0 of the WS-Security standard. The Gateway creates and uses X.509 v3 certificates.
The Require WS-Security Signature Credentials assertion, by itself, does not require that the request message contain a timestamp, and does not check the validity of any timestamp that might be present. To protect against stale or replayed messages, use the Require WS-Security Signature Credentials assertion with the Protect Against Message Replay Assertion.
To learn about selecting the target message for this assertion, see Select a Target Message.
To learn more about changing the WSS Recipient for this assertion, see Change the WSS Assertion Recipient.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Adding an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. Right-click
    Require WS-Security Signature Credentials
    in the policy window and select
    WS-Security Signature Properties
    or double-click the assertion in the policy window. 
  3. Configure the properties as follows:WS-Security Signature settings:
    Allow multiple signatures
    Select this check box to permit multiple signatures in a policy.
    Clear the check box to disallow multiple signatures. If this check box is not selected and multiple signatures are present, then the assertion will fail.
    For more information, see Multiple X.509 Signatures in Policies.
    Signature Element Variable
    To pick a particular signature to use with an authentication, ensure that an XPath assertion (for example, Sign Element, Encrypt Element) has been used to set a context variable to restrict the processed signatures. Then enter the context variable in the
    Signature Element Variable
    The following is a simple example of an XPath expression containing signature information in the header:
    The ".element" variable is not compatible with the Require WS-Security Signature Credentials assertion; use the ".elements" variable instead. For more information about the XPath context variables, see the Evaluate Request XPath and Evaluate Response XPath assertions.
    Signature Reference Element Variable
    Enter a context variable that will be used to select the signature by (one or more) elements that it signs. This variable may be used in addition to the
    Signature Element Variable
    The Signature Element Variable identifies the set of acceptable signatures (which is all signatures in the message if the variable is not set). The
    Signature Reference Element Variable
    further restricts that set of signatures to ones that have signed the desired elements (if the variable is set previously using XPath assertions).
    Specifying a Signature Reference Element Variable is not validating the signature reference—it is only for signature selection. The Require Signed Element assertion is still required to verify that the correct message parts are signed.
  4. Click [
    when done.