Setting Up Your Environment for Policies 10-63 The default is to sign and encrypt the entire body. You have the option to not do this and to instead specify the specific body elements that you want to sign and encrypt. You can also additionally specify header elements that you want to sign and encrypt. Whatever you set here must match the Web service policy settings. The Web services base64-encoded public certificate is published in the WSDL for use by the Web service client, as described in Using Service Identity Certification Extension on page 10-37. The certificate in the WSDL is the services public key by default, as determined by the encryption key you specified “orakey” when you configured the Web Services Manager keystore. Therefore, you do not need to set or change keystore.recipient.alias. You can optionally specify a value for saml.issuer.name on the Configurations page, or override it on a per-client basis using the Security Configuration Details control when you attach the policy. The saml.issuer.name property defaults to a value of www.oracle.com. See When to Override the SAML Issuer on page 10-59. You can specify a value for user.roles.include on the Configurations page, or override it on a per-client basis using the Security Configuration Details control when you attach the policy. WS-Trust Policies and Configuration Steps This section describes the predefined WS-Trust policies and how to configure and use them. The following topics are described: ■ Overview of Web Services WS-Trust on page 10-63 ■ Setting Up Automatic Policy Configuration for STS on page 10-69 ■ Programmatic Configuration Overrides for WS-Trust Client Policies on page 10-74 ■ Supported STS Servers on page 10-76 ■ Available WS-Trust Policies on page 10-74 Overview of Web Services WS-Trust The WS-Trust 1.3 specification defines extensions to WS-Security that provide a framework for requesting and issuing security tokens, and to broker trust relationships. WS-Trust extensions provide methods for issuing, renewing, and validating security tokens. To secure communication between a Web service client and a Web service, the two parties must exchange security credentials. As defined in the WS-Trust specification, these credentials can be obtained from a trusted SecurityTokenService STS, which acts as trust broker. That is, the STS must be trusted by both the Web service client and the Web service to provide interoperable security tokens. This section describes the following topics: ■ How the STS Configuration is Obtained on page 10-64 ■ Typical Token Request and Response on page 10-64 ■ Example WS-Trust Use Case on page 10-65 ■ Token Lifetime on page 10-66 ■ What Token Types Are Exchanged? on page 10-66