Multiple X.509 Signatures in Policies
The can create or validate multiple signatures in a message with multiple identities involved.
API Gatewaycan create or validate multiple signatures in a message with multiple identities involved.
API Gateway- XML VPN Client does not support multiple signatures in a message. Service consumption will always fail when there are multiple signatures in the response/request.
When multiple signatures are in use, there is more than one identity responsible for the contents of a message. A policy must be constructed in a way to indicate which identity is responsible for signing the various parts of a message. The signing identities may originate from different identity providers, for example:
At least one assertion must evaluate to true: User: Alice [Internal Identity Provider] User: Bob [Internal Identity Provider] Member of Group: Service Users [My Federated Provider]
In the example above, the policy is indicating that any of the identities ("Alice", "Bob", or "Service Users") are permitted as the signing identity.
There may be instances where it is not possible to distinguish between multiple signing identities, or when one of the identities does not correspond to an existing Group or Identity Provider. In this case, identity tagging can be used during authentication:
At least one assertion must evaluate to true: User: Alice [Internal Identity Provider] as "user" User: Bob [Internal Identity Provider] as "user" Member of Group: Service Users [My Federated Provider] as "user"
In the example above, the identity tag is "user". Here is another example:
Authenticate against: My Federated Provider as "identity1" Authenticate against: My Federated Provider as "identity2"
Where "identity1" and "identity2" are the identity tags. For more information on using identity tags, see Identity Tags.
To permit multiple X.509 signatures in a policy, you must select the
Allow multiple signaturescheck box in the Require WS-Security Signature Credentials Assertion:
You will also need to set the cluster property wss.processor.allowMultipleTimestampSignatures to "true".
The Require WS-Security Signature Credentials assertion will fail if a message has multiple X.509 signatures but the "Allow multiple signatures" check box is not selected.