2-78 Securing WebLogic Web Services for Oracle WebLogic Server
2.16.6 SAML Token Profile Policies
The policies shown in Table 2–1
implement WS-Security SAML Token Profile 1.0 and 1.1.
Wssp1.2-Wssc200502-Bo otstrap-Wss1.0.xml
WS-SecureConversation handshake is protected by WS-Security 1.0. The application messages are signed and
encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and RequestSecurityTokenResponse
messages are both signed and encrypted. The WS-Addressing headers are signed. Timestamp is included and signed. The
algorithm suite is Basic128.
Wssp1.2-Wssc200502-Bo otstrap-Wss1.1.xml
WS-SecureConversation handshake is protected by WS-Security 1.1. The application messages are signed and
encrypted with DerivedKeys. The soap:Body of the RequestSecurityToken and RequestSecurityTokenResponse
messages are both signed and encrypted. The WS-Addressing headers are signed. Signature and encryption use derived keys
from an encrypted key.
Note: WebLogic Server Version 10.3 supported SAML Holder of Key
for the inbound request only. As of WebLogic Server Version 10.3MP1 and later, both the request and response messages are
protected.
Table 2–10 WS-Security SAML Token Profile Policies
Policy File Description
Wssp1.2-2007-Saml1.1-Be arer-Https.xml
One-way SSL uses SAML 1.1 token with Bearer confirmation method for Authentication.
WebLogic Server supports the SAML 1.1 Bearer confirmation method at the transport level, using
Wssp1.2-2007-Saml2.0-Bearer-Https.xml. If you specify a transport-level security policy for your Web
service, it must be at the class level. In addition, the transport-level security policy must apply to both the inbound
and outbound directions. That is, you cannot have HTTPS for inbound and HTTP for outbound.
Wssp1.2-2007-Saml1.1-Se nderVouches-Wss1.0.xml
The message is signed and encrypted on both request and response with WSS1.0 asymmetric binding. SAML 1.1 token is
sent in the request for authentication with Sender Vouches confirmation method, signed by the X509 token.
Wssp1.2-2007-Saml1.1-Se nderVouches-Wss1.1.xml
The message is signed and encrypted on both request and response with WSS1.1 X509 symmetric binding. SAML 1.1
token is sent in the request for authentication with Sender Vouches confirmation method, signed by the X509 token.
Wssp1.2-2007-Saml2.0-Se nderVouches-Wss1.1.xml
The message is signed and encrypted on both request and response with WSS1.1 X509 symmetric binding. SAML 2.0
token is sent in the request for authentication with Sender Vouches confirmation method, signed by the X509 token.
Table 2–9 Cont. WS-SecureConversation Policies
Policy File Description
Configuring Message-Level Security 2-79
2.17 Choosing a Policy