Managing Service Group Trust Relation (Deprecated) |
|
SAML and Signed Messages
Security Assertion Markup Language (SAML) is an XML standard that defines secure Web domains for user authentication. Assertions comply with SAML standards and contain the sender's information. SAML assertions are placed in a SOAP message's header. SAML assertions may or may not be signed. SAML assertions are supplied by identity providers that follow SAML standards. SAML assertions are used for authenticating the sender.
In highly secure environments, service groups can exchange signed messages. When a complete message or parts of the message is signed using a digital certificate, it is called signed message. A signed message can contain SAML assertions which may or may not be signed. Therefore, a SOAP request can:
- contain a SAML in its header which may or may not be signed,
- have parts of it signed,
- or the complete message can be signed.
Usage of Signed Messages in Process Platform
In Process Platform, the certificate of the monitor called the Monitor Certificate acts like a Certificate Authority (CA). All service groups are associated with certificates issued by Monitor Certificate, including the certificate of the Single Sign-On (SSO) service group. The SAML assertions provided by Process Platform are always signed using the SSO certificate. Process Platform can also work with external identity providers.
When a SOAP request is received by a service container, the following verifications are made before processing the request:
- If the request contains a SAML and if the SAML is signed, then the following are checked
- the SAML is signed by a trusted party
- the SAML is not tampered
- If the request contains parts that are signed or if the entire message is signed, then the following are checked
- the message is signed by a trusted party
- the message is not tampered.
If the above criteria are satisfied, the SOAP request is processed.
Infrastructure for Exchanging Signed Messages
The infrastructure for using signed messages in Process Platform is provided by Security Administration task.
Service groups must trust an identity provider before they can start exchanging messages signed by certificates issued by the identity provider. This needs a mechanism to bring together the service groups that trust a particular identity provider. This can be achieved by placing the certificate chain of one service group in the trust store of another service group. Also, service groups that trust a particular identity provider, must also trust each other's certificate chain.
Certificates and their certificate chains are present in repositories called trust stores. For information on managing trust stores, refer to Managing Certificates.
Security Administration provides you, the Process Platform Administrator, with an interface to bring together service groups and to assign certificates to these groups. A collection of service groups that trust a particular identity provider are brought together to form a trust relation. The certificate of the identity provider is associated with the trust relation. The certificate must also be provided an 'alias' to identify it. For information on creating a collection of service groups, assigning a certificate, and providing an alias to the certificate, refer to Creating a group. Note: For the Service Group settings to come into effect, it is necessary to enable SSO. If SSO is not enabled, the settings in Security Administration are by-passed. For information on enabling SSO, refer to Enabling SSO. Also, these settings come into effect when WS-Security is enabled. After the group is created, there are situations when you need to add more than one certificate to a particular group. Once the additional certificate is added to the group, all service groups that belong to this trust store group trust this certificate. For more information on adding a certificate to a group, refer to Adding a certificate to a group.
We would need a default trust relation, so that every new service group that is created is assigned to this group. For more information, refer to Setting a group as a default Trust Relation. You can later choose to move the service group to a different trust relation.
Therefore using trust store you can create a trust relation of service groups. You can add a certificate to the group and set a group as the default trust relation.
In addition to the functions mentioned above, you can perform the following tasks in the Service Group Trust tab of Security Administration.