This section covers Web Service Provider (WSP) properties. WSPs both validate incoming web service requests from Web Service Clients (WSC), and also secure outgoing responses sent back to WSCs.
After creating a WSP profile, you access WSP properties in the
OpenAM console under Access Control > Realm Name
> Agents > Web Service Provider > Agent
Name.
General properties
- Group
-
For assigning the agent to a previously configured agent group in order to inherit selected properties from the group.
- Password
-
Agent password used when creating the password file and when installing the agent.
- Status
-
Status of the agent configuration.
- Universal Identifier
-
OpenAM identifier for the agent configuration.
Security properties
- Security Mechanism
-
Specifies the mechanisms allowed to validate the web service request.
- Authentication Chain
-
Specifies which OpenAM authentication chain consumes the credentials from the web service request to authenticate the WSC.
- Token Conversion Type
-
Specifies how to covert the incoming token before issuing requests to other WSPs.
- Preserve Security Headers in Message
-
Yes means the agent preserves SOAP security headers from the request for subsequent processing.
- Detect Message Replay
-
Yes means the agent checks whether the request is a replay of an earlier request, and if so, rejects the request.
- Detect User Token Replay
-
Yes means the agent checks whether the user token is a replay from an earlier requests, and if so, rejects the request.
- Private Key Type
-
Specifies the type of key, such as
PublicKey, used to verify the request signature. - Liberty Service Type URN
-
Specifies the Universal Resource Name for the Liberty service type used for lookups.
- DNS Claim
-
Specifies a Uniform Resource Identitier shared by the WSP and WSC.
- Credential for User Token
-
Specifies the user name and password credentials compared with the user name security token in a request.
SAML Configuration properties
- SAML Attribute Mapping
-
Maps SAML attribute names from the incoming request to attribute names as retrieved from the SSOToken or the identity repository, used to have the Security Token Service generate an appropriate SAML assertion.
- SAML NameID Mapper Plugin
-
Specifies the class name of a plugin used to perform SAML account mapping.
- SAML Attributes Namespace
-
Identifies the attribute name space used when generating SAML assertions.
- Include Memberships
-
Yes means the agent includes the principal's membership as a SAML attribute.
Signing and Encryption properties
- Is Request Signature Verified
-
Yes means verify signatures in requests.
- Is Response Signed Enabled
-
Yes means the agent signs the specified parts of the response with its x509 certificate.
- Signing Reference Type
-
Specifies how the x509 certificate used to sign responses is referenced in the response.
- Is Request Decrypted
-
Yes means do decrypt the specified parts of incoming requests.
- Is Response Encrypted
-
Yes means do encrypt the outgoing response.
- Encryption Algorithm
-
Specifies whether to use Advanced Encryption Standard, corresponding to an Encryption Strength of 128, 192, or 256, or to use Triple DES with a key length of 0, 112, or 168.
- Encryption Strength
-
Specifies the key length used for encryption.
Key Store properties
- Public Key Alias of Web Service Client
-
Specifies the alias of the certificate in the key store used to verify request signatures and encrypt responses.
- Private Key Alias
-
Specifies the alias of the certificate in the key store used to sign responses and decrypt requests.
- Key Store Usage
-
If you use your own, custom key store, specify how to access it here.
End Points properties
- Web Service Security Proxy End Point
-
If the WSC sends requests through a web service proxy, specify that as the end point here.
- Web Service End Point
-
Specifies the end point to which the WSC sends requests.
Kerberos Configuration properties
- Kerberos Domain Server
-
Specifies the fully qualified domain name of the Kerberos Distribution Center service.
- Kerberos Domain
-
Specifies the Kerberos Distribution Center domain name. For Windows environments this is the domain controller domain name.
- Kerberos Service Principal
-
Specifies the Kerberos principal used by OpenAM, using the form
HTTP/, whereopenam-fqdn@krb-domainopenam-fqdnis the fully qualified domain name for OpenAM, andkrb-domainis the Kerberos Domain. - Kerberos Key Tab File
-
Specifies the Kerberos keytab file using the form
openam-host.HTTP.keytabopenam-hostis the host name for OpenAM. - Verify Kerberos Signature
-
Yes means the agent signs the Kerberos token.
