2-78 Securing WebLogic Web Services for Oracle WebLogic Server

2.16.6 SAML Token Profile Policies

The policies shown in Table 2–1 implement WS-Security SAML Token Profile 1.0 and 1.1. Wssp1.2-Wssc200502-Bo otstrap-Wss1.0.xml WS-SecureConversation handshake is protected by WS-Security 1.0. The application messages are signed and encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and RequestSecurityTokenResponse messages are both signed and encrypted. The WS-Addressing headers are signed. Timestamp is included and signed. The algorithm suite is Basic128. Wssp1.2-Wssc200502-Bo otstrap-Wss1.1.xml WS-SecureConversation handshake is protected by WS-Security 1.1. The application messages are signed and encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and RequestSecurityTokenResponse messages are both signed and encrypted. The WS-Addressing headers are signed. Signature and encryption use derived keys from an encrypted key. Note: WebLogic Server Version 10.3 supported SAML Holder of Key for the inbound request only. As of WebLogic Server Version 10.3MP1 and later, both the request and response messages are protected. Table 2–10 WS-Security SAML Token Profile Policies Policy File Description Wssp1.2-2007-Saml1.1-Be arer-Https.xml One-way SSL uses SAML 1.1 token with Bearer confirmation method for Authentication. WebLogic Server supports the SAML 1.1 Bearer confirmation method at the transport level, using Wssp1.2-2007-Saml2.0-Bearer-Https.xml. If you specify a transport-level security policy for your Web service, it must be at the class level. In addition, the transport-level security policy must apply to both the inbound and outbound directions. That is, you cannot have HTTPS for inbound and HTTP for outbound. Wssp1.2-2007-Saml1.1-Se nderVouches-Wss1.0.xml The message is signed and encrypted on both request and response with WSS1.0 asymmetric binding. SAML 1.1 token is sent in the request for authentication with Sender Vouches confirmation method, signed by the X509 token. Wssp1.2-2007-Saml1.1-Se nderVouches-Wss1.1.xml The message is signed and encrypted on both request and response with WSS1.1 X509 symmetric binding. SAML 1.1 token is sent in the request for authentication with Sender Vouches confirmation method, signed by the X509 token. Wssp1.2-2007-Saml2.0-Se nderVouches-Wss1.1.xml The message is signed and encrypted on both request and response with WSS1.1 X509 symmetric binding. SAML 2.0 token is sent in the request for authentication with Sender Vouches confirmation method, signed by the X509 token. Table 2–9 Cont. WS-SecureConversation Policies Policy File Description Configuring Message-Level Security 2-79

2.17 Choosing a Policy