WS-Trust 1.4 SecurityTokenService facade
The WS-Trust 1.4 SecurityTokenService is a generic implementation of the WS-Trust 1.4 OASIS standard. It replaces the previous legacy WS-Trust facade and should be used in all new and updated setups. It is more generic, conforms to the OASIS specification and supports features new to version 1.4.
The service supports interactive negotiations as specified in chapter 8.3 User Interaction Challenges of the specification. The implementation will automatically translate nevisAuth GUIs to matching wst14:InteractiveChallenge structures and incoming wst14:InteractiveChallengeResponse elements to the appropriate inargs. An interactive challenge is sent to the WS-Trust client if certain infomation is missing to complete the authentication process. Additionally, info and error messages can also be sent to the client, for example, if the wrong input was provided.
The following tables list the mappings from InteractiveChallengeResponse structures to inargs and context parameters, as well from outgoing GUI elements to InteractiveChallenges (see the tables InteractiveChallengeResponse - Mappings]:
InteractiveChallengeResponse | Inargs/Context parameter | Description |
---|---|---|
<wst14:ContextData RefId="SessionId" value="12345"/> | sess:id = "12345" | The session ID that indicates which user is sending the request |
<wst14:ContextData RefId="ClientId" value="54321"/> | client Id = "54321" | The client ID that can be set as an alternative to the session id. |
<wst14:TextChallengeResponse RefId="isiwebuserid" value="thomas"/> | inargs:isiwebuserid = "thomas" | The value of the text challenge is mapped to an inarg with the same name as specified in the RefId attribute. |
<wst14:ChoiceChallengeResponse RefId="checkBoxChoices">* *<wst14:ChoiceSelected RefId="firstCheckBox">* *<wst14:ChoiceSelected RefId="secondCheckBox">* *</wst14:ChoiceChallengeResponse> | inargs:checkBoxChoices = "firstCheckBox,secondCheckBox" | The values of a checkbox or radiobox are mapped from the ChoiceChallengeResponse to inargs. |
GUI Element | InteractiveChallenge | Description |
---|---|---|
<Gui label="login.uidpw.label" name="AuthUidPwDialog" language="en"> | <wst14:Title RefId="AuthUidPwDialog" language="en">login.uidpw.lab</wst14:Title> | The label, name and language of a GUI element are mapped to the wst14:Title element. |
<GuiElem name="lasterror" type="error" label="${notes:lasterrorinfo}" value="${notes:lasterror}"/> | <wst14:Title RefId="lasterror" Label="${notes.lasterrorinfo}" type="error" >${notes:lasterror}</wst14:Title> | Errors are mapped to wst14:Title elements with type="error". |
<GuiElem name="lastinfo" type="info" label="${notes:lastinfo}" value="Your password will expire soon"/> | <wst14:Title RefId="lastinfo" Label="${notes.lastinfo}" type="info" >Your password will expire soon</wst14:Title> | Info messages are mapped to wst14:Title elements with type="info". |
<GuiElem name="isiwebuserid" type="text" label="userid.label" value="" length="30"/> | <wst14:TextChallenge RefId="isiwebuserid" Label="userid.label" MaxLen="30"/> | GUI elements of type "text" are mapped to wst14:TextChallenge elements |
<GuiElem name="isiwebpasswd" type="pw-text" label="password.label" value="" /> | <wst14:TextChallenge RefId="isiwebpasswd" Label="password.label" HideText="true"/> | GUI elements of type "pw-text" are mapped to wst14:TextChallenge elements with the HideText attribute set to "true". |
<GuiElem name="hiddenText" type="hidden" value="secret" /> | <wst14:ContextData RefId="hiddenText"></wst14:ContextData> | GIU elements of type "hidden" are mapped to wst14:ContextData elements with the HideText attribute set to "true". |
<GuiElem name="checkBoxChoices" type="checkbox" value="firstCheckBox" label="check1.label" /> <GuiElem name="checkBoxChoices" type="checkbox" value="secondCheckBox" label="check2.label" /> | <wst14:ChoiceChallenge RefId="checkBoxChoices"> <wst14:Choice RefId="firstCheckBox" Label="check1.label" /> <wst14:Choice RefId="secondCheckBox" Label="check2.label" /> </wst14:ChoiceChallenge> | Checkbox elements are mapped to ChoiceChallenge elements. The values are child elements called Choice. |
<GuiElem name="radioButtonList" type="radio" value="firstRadioButton" label="radio1.label" /> <GuiElem name="radioButtonList" type="radio" value="secondRadioButton" label="radio2.label" /> | <wst14:ChoiceChallenge RefId="radioButtonList" ExactlyOne="true"> <wst14:Choice RefId="firstRadioButton" Label="radio1.label"/> <wst14:Choice RefId="secondRadioButton" Label="radio2.label" /> </wst14:ChoiceChallenge> | Radio buttons are mapped to ChoiceChallenge elements. The values are child elements called Choice. The attribute ExactlyOne is set to "true". |
The following table gives an overview of the configuration of the WS-Trust 1.4 SecurityTokenService interface.
Topic | Description |
---|---|
Class | ch.nevis.esauth.auth.adapter.wstrust.SecurityTokenService |
Logging | STS |
Properties | token:<tokenName> (string, -) <tokenName> .RequestType (string, defaults to RequestType of incoming request) <tokenName> .TokenType (string, defaults to TokenType of incoming request) <tokenName> .Status.Code (string, defaults to "valid" status code) <tokenName> .Status.Reason (string, -) <tokenName> .AppliesTo (wsp:AppliesTo element or string, default to AppliesTo of the incoming request) <tokenName> .Lifetime (wst:Lifetime element, -) <tokenName> .ttl (duration in seconds, -) <tokenName> .binary (boolean, false): if "true", sends the token as a BinarySecurityTokenThis property syntax allows to configure one or several tokens to be sent in the response on AUTH_DONE. Various fields may be set for the token. If not defined, default values will be deduced from the incoming request or from the status of the AuthResponse. |
Example(authentication with UsernameToken profile, issuing SAML assertion) |
<WebService
class="ch.nevis.esauth.auth.adapter.wstrust.SecurityTokenService"
name="SecurityTokenService-v1.4"
uri="/nevisauth/services/SecurityTokenService/v14/saml"
SSODomain="WSTrust" >
<Mapping
from="xpath://OnBehalfOf/UsernameToken/Username/text()"
to="isiwebuserid" scope="inargs" />
<Mapping
from="xpath://OnBehalfOf/UsernameToken/Password/text()"
to="isiwebpasswd" scope="inargs" optional="false"/>
<Method name="authenticate" />
<property name="token:samlToken" value="${outargs:saml.SAMLAssertion}" />
<property name="samlToken.AppliesTo" value="https://a.location.com/" />
</WebService>
Example (authentication with UsernameToken profile, responding with SecToken as BST)
<WebService
class="ch.nevis.esauth.auth.adapter.wstrust.SecurityTokenService"
name="SecurityTokenService-v1.4"
uri="/nevisauth/services/SecurityTokenService/v14/sectoken"
SSODomain="WSTrust" >
<Mapping
from="xpath://OnBehalfOf/UsernameToken/Username/text()"
to="isiwebuserid" scope="inargs" />
<Mapping
from="xpath://OnBehalfOf/UsernameToken/Password/text()"
to="isiwebpasswd" scope="inargs" optional="false"/>
<Method name="authenticate" />
<property name="token:secToken" value="${response.signedTokenAsString}" />
<property name="secToken.binary" value="true" />
</WebService>