Advanced Administration 14-21

6. Click Apply to apply the property updates.

Defining Identity Extension Properties The properties on the Identity Extension tab enable you to specify whether to enforce Web service policies by publishing the X509 certificate in the WSDL. If there is no need to publish the X509 certificate for example, with SSL, you can override the default setting to avoid publishing the certificate. In addition, if the X509 is published, you can also specify whether to ignore the hostname verification feature. For more information, see Using Service Identity Certification Extension on page 10-37. Defining a Trusted Distinguished Name List for SAML Signing Certificates The Trusted SAML clients and Trusted STS servers tabs enable you to define a list of trusted distinguish names DNs for SAML signing certificates. By default, Oracle WSM checks the incoming issuer name against the list of configured issuers, and checks the SAML signature against the configured certificates in the Oracle WSM keystore. If you define a trusted DNs list, Oracle WSM also verifies that the SAML signature is signed by the particular certificates that is associated with that issuer. Configuration of the trusted DNs list is optional; it is available for users that require more fine-grained control to associate each issuer with a list of one or more signing certificates. If you do not define a list of DNs for a trusted issuer, then Oracle WSM allows signing by any certificate, as long as that certificate is trusted by the certificates present in the Oracle WSM keystore. Imporant Notes : ■ Using the Trusted SAML clients and Trusted STS servers tabs, you define the DNs of the signing certificates, not the certificates themselves. ■ The certificate must be imported into the Oracle WSM keystore or included in the message. If the certificate is provided in the message, its issuer must be imported into the Oracle WSM keystore. ■ For two-way SSL: – The certificate needs to be imported into the Java EE container’s trust store. – The DN of the client SSL certificates are used for validation and need to be present in the trusted DNs list. ■ In all cases, the signing certificates must be trusted by the certificates present in the OWSM keystore. To defined a trusted DNs list for SAML signing certificates: 1. Configure the trusted SAML issuers, as described in Configuring SAML on page 10-43. Optionally, you can override the SAML issuer when attaching the policy. For more information, see Attaching Client Policies Permitting Overrides on page 8-21. 2. Access the Platform Policy Configuration page, as described in Configuring Platform Policy Properties on page 14-15.