WSS Consumer

This policy facilitates processing of WS-Security Header from response message.

WSS Consumer acts on the Reference side to ensure that the confidentiality, integrity, and timestamp of a request remains secure. To maintain confidentiality, a response is decrypted at its endpoint. To maintain integrity, the response is verified for a valid signature. To track the time of the response, a timestamp is inserted in the response.

To maintain confidentiality, the policy can be configured for an outbound request to be encrypted and an inbound response to be decrypted at its endpoint. To maintain integrity, the outbound request can be signed and the signature verified in the inbound response. You can also insert a timestamp in an outbound request and verify a timestamp in the inbound response. You also have an option to attach credentials to the outbound request.

Policy Requirement
Policy Shared Resource Object Group Types
WSS Consumer
  • WSS Authentication
  • Trust Provider
  • Identity Provider
  • AMX Reference Binding Instance (SOAP, SOAP/HTTP, SOAP/JMS)
Select the checkboxes for the required features.
Property Description
WSS Processor

This option is required if decryption, signature verification or timestamp verification is required on the inbound response. This option is required if decryption, signature verification or timestamp verification is required on the inbound response.

Confidentiality Encrypt request and/or decrypt response.
Integrity Sign request and/or verify signature on response.
Timestamp

Set timestamp on request and/or verify timestamp on response.

Credential Mapping Use supported identity token profiles to insert identity token into outgoing requests. Select one from the following options:
  1. Username Token Credential Mapping using Identity Provider.
  2. SAML Token based Credential Mapping
Algorithm Suite Specifies the algorithm suite required for performing cryptographic operations with symmetric or asymmetric key based security tokens. An algorithm suite specifies actual algorithms and allowed key lengths.
Digest Algorithm The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.

Default type is SHA-256. You can select a different type from the drop-down menu.

Property Description
WSS Processor Specify a Resource Template for WSS Processing.
Confidentiality Select Encrypt Request and/or Decrypt Response.
Encrypt Request
  1. From the drop-down box, select a Resource template for encryption
  2. Specify a Key Alias.
Select which one of the following should be encrypted:
  1. Encrypt parts: Body and/or Header

  2. Encrypt Elements: Add elements to be encrypted

Decrypt Response No additional configuration required.
Integrity Select Sign Request and/ or Verify signature on response.
Sign Request

Select a Resource template for signing.

Select which of the following should be signed:

  1. Sign Parts: Body and/or Header
  2. Sign Elements: Add elements to be signed.
Verify signature on response Select from the following options:
  1. At least some parts or elements in the message that should be signed
  2. Entire message should be signed
  3. Message header should be signed
  4. Message body should be signed
Timestamp Select from the following:
  1. Set timestamp on request. Specify time-to-live in seconds.
  2. Verify timestamp on response.
Property Description
SAML Token based Credential Mapping
  1. From the drop-down list, select SAML token profile.
  2. If you select Sign SAML Assertion, specify shared resource for signing SAML.
  3. Enter SAML issuer name
  4. Select SAML Assertion Validity

UsernameToken Credential Mapping using identity provider

Default Credential Mapping

Select this option to map credentials using default mapping. Once selected, you will be prompted to select the name of the Identity Provider.

Exceptions to the Default Credential Mapping

Following options can be selected to exempt from default credential mapping:
  1. Map credentials for authenticated users.
  2. Map credentials for anonymous users.
  3. Map credentials for users with specified roles.

After one of these options is selected, you will be prompted to enter the name of the Identity Provider.