Applying the SAML SSO Web Profile Authentication Policy

SAML SSO Web Profile Authentication Policy can be applied as an external policy set using TIBCO Business Studio.

For more information about configuring an external policy set using TIBCO Business Studio, see the ''Configuring External Policy Sets with XML'' section of the TIBCO ActiveMatrix® Service Grid Composite Development Guide.

Sample policy set SamlSSOWebProfileAuthenticationWithWebApp.policysets is available in the TIBCO_HOME\amx\3.4\samples\policy directory. You can use the sample policy set to apply SAML SSO Web Profile Authentication Policy. The resource instance name configured in the policy set must exactly match the resource instance name created using Administrator UI or CLI. For example, see SamlSSOWebProfileAspProp highlighted in the following sample policy set.

Sample Policy Set: 

<ep:policySetContainer
xmlns:ep="http://xsd.tns.tibco.com/amf/models/externalpolicy"
xmlns:sca="http://www.osoa.org/xmlns/sca/1.0" xmlns:scaext="http://xsd.tns.tibco.com/amf/models/sca/extensions"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:tpa="http://xsd.tns.tibco.com/governance/policy/action/2009"
xmlns:tpc="http://xsd.tns.tibco.com/governance/policy/common/2009"
xmlns:jmsbt="http://xsd.tns.tibco.com/amf/models/sca/bindingtype/jms"
xmlns:soapbt="http://xsd.tns.tibco.com/amf/models/sca/binding/soap"
xmlns:webapp="http://xsd.tns.tibco.com/amf/models/sca/implementationtype/webapp"
xmlns:wssp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:samlwebprofile="http://xsd.tns.tibco.com/trinity/models/auth/samlwebprofile"
xmlns:rtp="http://xsd.tns.tibco.com/governance/rule/template/2010"

targetNamespace="http://www.trinity.na.tibco.com">

<!-- add the policy sets here -->
<sca:policySet
name="SamlWebProfileAuthenticationPolicySet"
provides="scaext:clientAuthentication.basic" policyTemplateName="rtp:AuthenticationBySamlSSOWebProfile" appliesTo="soapbt:binding.soap.service|webapp:implementation.web">

<scaext:property mustSupply="true"
                                        name="SamlSSOWebProfileAspProp"
                                        type="samlwebprofile:SamlWebProfileConfiguration"
                                        scaext:simpleValue="SamlSSOWebProfileAsp"/>
      <wsp:Policy>
            <wsp:All>
                  <wsp:Policy>
                     <tpa:AuthenticationByJaas>
                              <tpa:SecurityToken>
                                    <tpa:ExactlyOne>
                                          <tpa:SamlSSOWebProfileToken />
                                    </tpa:ExactlyOne>
                              </tpa:SecurityToken>
                              <tpa:SharedResourceLoginModule ResourceInstanceProperty="SamlSSOWebProfileAspProp"/>
                    </tpa:AuthenticationByJaas>
                  </wsp:Policy>
            </wsp:All>
      </wsp:Policy>
</sca:policySet>
</ep:policySetContainer>