Legacy WS-Trust 1.3 SecurityTokenService facade

The WS-Trust 1.3 facade is superseded by the WS-Trust 1.4 SecurityTokenService facade "). Therefore, do not use this legacy WS-Trust 1.3 facade in new or updated setups.

The legacy WS-Trust facade to the authentication engine implements a subset of the WS-Trust 1.3 specification, namely the RequestSecurityToken operation of the SecurityTokenService.

This authentication is non-interactive, i.e., one-shot and stateless from the point of view of nevisAuth. Once the authentication is completed and the requested token created and returned to the requester, the new session in the nevisAuth will be dropped. There is no equivalent for the stepup, unlock or logout operations.

A security token can be requested either on behalf of another security token (which has to be presented in the RequestSecurityToken request message), or based on the SSL client certificate used to establish the mutually authenticated transport to the web service.

The WSDL that describes the WS-Trust AuthEngine facade can be found under the URL http://docs.oasis-open.org/ws-sx/ws-trust/200512.

This facade uses a patched version to support the JAXWS/JAXB binding framework because programming with the "any" type is very inconvenient otherwise. This version also includes the addendum corrections of the namespaces according to the WS-Trust 1.3 specification. The above WSDL and XSD definitions do not include these corrections yet. The corrections include the following namespace changes:

wst (old):  `http://docs.oasis-open.org/ws-sx/ws-trust/200512/`
wst (new):  `http://docs.oasis-open.org/ws-sx/ws-trust/200512`
wsdl (old): `http://docs.oasis-open.org/ws-sx/ws-trust/200512/`
wsdl (new): `http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl`

For backward compatibility, this facade is enabled by setting the system property ch.nevis.esauth.wstrust.SecurityTokenService.Enabled to "true", but only if no WebService element is configured in the nevisAuth configuration file. To enable the legacy WS-Trust facade in parallel to other configured WebServices, configure the following:

<WebService name="LegacySTS" SSODomain="WSTrust"
        class="ch.nevis.esauth.auth.adapter.wstrust.LegacySecurityTokenService"
        uri="/nevisauth/services/SecurityTokenService" />

Configured in this way, the legacy WS-Trust facade may be mapped to any URI, subject to the same requirements as any WebService "). The facade takes no configuration properties and does not consider configured mappings or methods.

OnBehalfOf authentication

The SecurityTokenService accepts the following types of tokens for OnBehalfOf authentication:

Token Type	Description
wsse:UsernameToken	A textual security token containing a username and a password.Username and password are mapped to the well-known input arguments isiwebuserid and isiwebpasswd, for instance for use by the LDAP plug-in described in UseridPasswordAuthenticateState.
wsse:BinarySecurityToken	A binary security token, containing an X.509 certificate. The value type of the binary security token must be wsse:X509v3.The X.509 certificate is made available to authentication engine, for instance for use by the X.509 plug-in described in X.509 authentication AuthState.To use the certificates transmitted in OnBehalfOf structures as client certificates in authentication procedures, the system property ch.nevis.esauth.wstrust.SecurityTokenService.ClientCertSource must be set to "OnBehalfOf".

Transport authentication

The SecurityTokenService also accepts the SSL client certificate of the mutually authenticated transport as user certificate.

To use the transport layer certificate as client certificate in authentication procedures, the system property ch.nevis.esauth.wstrust.SecurityTokenService.ClientCertSource must be set to "transport". This is the case in the default configuration.

Token type and domain selection

The nevisAuth WS-Trust service implementation allows to select the required authentication domain from the client via the AppliesTo element's domain attribute as well as the token type to return.

Token Type	Returns
http://nevis.ch/nevisauth/xsd/secToken#CSSO-1.0	wsse:BinarySecurityToken with value type "nevis:secToken".Base64 decoding the value returns a string that can be verified using the jcan-sectoken library.
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3	wsse:BinarySecurityToken with value type "wsse:X509v3".Base64 decoding the result returns a " for the certificate generator plug-in.
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	saml2:AssertionThis token type requires the configuration of a SAML IdentityProviderState with the out.binding attribute set to "internal-assertion".

An example of a domain selection to address a nevisAuth authentication domain (SOAP transport level view) follows:

<soapenv:Envelope
        xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:ns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
        xmlns:oas="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        xmlns:oas1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
        xmlns:pol="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <soapenv:Header />
    <soapenv:Body>
        <ns:RequestSecurityToken>
            <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" domain="WSTrust" />
            <ns:TokenType>http://nevis.ch/nevisauth/xsd/secToken#CSSO-1.0</ns:TokenType>
            <ns:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</ns:RequestType>
            <ns:OnBehalfOf>
                <oas:UsernameToken>
                    <oas:Username>bootstrap</oas:Username>
                    <oas:Password>Generated1!</oas:Password>
                </oas:UsernameToken>
            </ns:OnBehalfOf>
        </ns:RequestSecurityToken>
    </soapenv:Body>
</soapenv:Envelope>