This section covers Web Service Client (WSC) properties. WSCs both secure outgoing requests sent to Web Service Providers (WSP), and also validate incoming from WSPs.
After creating a WSC profile, you access WSC properties in the
OpenAM console under Access Control > Realm Name
> Agents > Web Service Client > Agent
Name.
General properties
- Group
-
For assigning the agent to a previously configured agent group in order to inherit selected properties from the group.
- Password
-
Agent password used when creating the password file and when installing the agent.
- Status
-
Status of the agent configuration.
- Universal Identifier
-
OpenAM identifier for the agent configuration.
Security properties
- Security Mechanism
-
Specifies the mechanism used to secure web service requests.
- STS Configuration
-
Specifies the agent used to secure requests to the Security Token Service. Associated with the STSSecurity Security Mechanism.
- Discovery Configuration
-
Specifies the agent used to secure requests to the Discovery Service. Associated with the LibertyDiscoverySecurity Security Mechanism.
- User Authentication Required
-
Yes means users must authenticate to access the WSC's protected page.
- Preserve Security Headers in Message
-
Yes means the agent preserves SOAP security headers in the request for subsequent processing.
- User Pass Through Security Token
-
Yes means the agent passes along the Security Token from the Subject, rather than generating a token or requesting it from the Security Token Service.
- Liberty Service Type URN
-
Specifies the Universal Resource Name for the Liberty service type used for lookups.
- Credential for User Token
-
Specifies the user name and password credentials shared with the WSP and used to generate a Username Security Token.
- DNS Claim
-
Specifies a Uniform Resource Identitier shared by the WSP and WSC.
SAML Configuration properties
- SAML Attribute Mapping
-
Maps SAML attribute names from the outgoing request to attribute names as retrieved from the SSOToken or the identity repository.
- SAML NameID Mapper Plugin
-
Specifies the class name of a plugin used to perform SAML account mapping.
- SAML Attributes Namespace
-
Identifies the attribute name space used when generating SAML assertions.
- Include Memberships
-
Yes means the agent includes the principal's membership as a SAML attribute.
Signing and Encryption properties
- Is Request Signed Enabled
-
Yes means the agent signs the specified parts of the request with its x509 certificate.
- Signing Reference Type
-
Specifies how the x509 certificate used to sign requests is referenced in the request.
- Is Response Signature Verified
-
Yes means verify signatures in responses.
- Is Request Encryption Enabled
-
Yes means do encrypt the specified parts of outgoing requests.
- Encryption Algorithm
-
Specifies whether to use Advanced Encryption Standard, corresponding to an Encryption Strength of 128, 192, or 256, or to use Triple DES with a key length of 0, 112, or 168.
- Encryption Strength
-
Specifies the key length used for encryption.
- Is Response Decrypted
-
Yes means do decrypt the incoming response.
Key Store properties
- Public Key Alias of Web Service Provider
-
Specifies the alias of the certificate in the key store used to sign requests and decrypt responses.
- Private Key Alias
-
Specifies the alias of the certificate in the key store used to verify response signatures and encrypt requests.
- Key Store Usage
-
If you use your own, custom key store, specify how to access it here.
End Points properties
- Web Service Security Proxy End Point
-
If the WSC sends requests through a web service proxy, specify that as the end point here.
- Web Service End Point
-
Specifies the end point to which the WSC sends requests.
Kerberos Configuration properties
- Kerberos Domain Server
-
Specifies the fully qualified domain name of the Kerberos Distribution Center service.
- Kerberos Domain
-
Specifies the Kerberos Distribution Center domain name. For Windows environments this is the domain controller domain name.
- Kerberos Service Principal
-
Specifies the Kerberos principal used by OpenAM, using the form
HTTP/, whereopenam-fqdn@krb-domainopenam-fqdnis the fully qualified domain name for OpenAM, andkrb-domainis the Kerberos Domain. - Kerberos Ticket Cache Directory
-
Specifies the directory in which Kerberos Ticket Granting Tickets (TGT) are cached. The kinit command stores the TGT from the KDC here.
