Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2WS-SecurityPolicy 1.2
3OASIS Standard
41 July 2007
5Specification URIs:
6This Version:
7 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.doc
8 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.pdf
9 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.html
10Previous Version:
11 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-cs.doc
12 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-cs.pdf
13 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-cs.html
14Latest Version:
15 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/ws-securitypolicy.doc
16 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/ws-securitypolicy.pdf
17 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.2/ws-securitypolicy.html
18Artifact Type:
19 specification
20Technical Committee:
21 OASIS Web Services Secure Exchange TC
22Chair(s):
23 Kelvin Lawrence, IBM
24 Chris Kaler, Microsoft
25Editor(s):
26 Anthony Nadalin, IBM
27 Marc Goodner, Microsoft
28 Martin Gudgin, Microsoft
29 Abbie Barbir, Nortel
30 Hans Granqvist, VeriSign
31Related work:
32 N/A
33Declared XML Namespace(s):
34 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
35Abstract:
36 This document indicates the policy assertions for use with [WS-Policy] which apply to WSS:
37 SOAP Message Security [WSS10, WSS11], [WS-Trust] and [WS-SecureConversation]
38Status:
39 This document was last revised or approved by the WS-SX TC on the above date. The level of
40 approval is also listed above. Check the current location noted above for possible later revisions
41 of this document. This document is updated periodically on no particular schedule.
42 Technical Committee members should send comments on this specification to the Technical
43 Committee’s email list. Others should send comments to the Technical Committee by using the
1ws-securitypolicy-1.2-spec-os 1 July 2007
2Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 1 of 113
44 “Send A Comment” button on the Technical Committee’s web page at http://www.oasis-
45 open.org/committees/ws-sx.
46 For information on whether any patents have been disclosed that may be essential to
47 implementing this specification, and any offers of patent licensing terms, please refer to the
48 Intellectual Property Rights section of the Technical Committee web page (http://www.oasis-
49 open.org/committees/ws-sx/ipr.php).
50 The non-normative errata page for this specification is located at http://www.oasis-
51 open.org/committees/ws-sx.
53Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply.
54All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual
55Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
56This document and translations of it may be copied and furnished to others, and derivative works that
57comment on or otherwise explain it or assist in its implementation may be prepared, copied, published,
58and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice
59and this section are included on all such copies and derivative works. However, this document itself may
60not be modified in any way, including by removing the copyright notice or references to OASIS, except as
61needed for the purpose of developing any document or deliverable produced by an OASIS Technical
62Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must
63be followed) or as required to translate it into languages other than English.
64The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors
65or assigns.
66This document and the information contained herein is provided on an "AS IS" basis and OASIS
67DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
68WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY
69OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
70PARTICULAR PURPOSE.
71OASIS requests that any OASIS Party or any other party that believes it has patent claims that would
72necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard,
73to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to
74such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that
75produced this specification.
76OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of
77any patent claims that would necessarily be infringed by implementations of this specification by a patent
78holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR
79Mode of the OASIS Technical Committee that produced this specification. OASIS may include such
80claims on its website, but disclaims any obligation to do so.
81OASIS takes no position regarding the validity or scope of any intellectual property or other rights that
82might be claimed to pertain to the implementation or use of the technology described in this document or
83the extent to which any license under such rights might or might not be available; neither does it represent
84that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to
85rights in any document or deliverable produced by an OASIS Technical Committee can be found on the
86OASIS website. Copies of claims of rights made available for publication and any assurances of licenses
87to be made available, or the result of an attempt made to obtain a general license or permission for the
88use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS
89Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any
90information or list of intellectual property rights will at any time be complete, or that any claims in such list
91are, in fact, Essential Claims.
92The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be
93used only to refer to the organization and its official outputs. OASIS welcomes reference to, and
94implementation and use of, specifications, while reserving the right to enforce its marks against
95misleading uses. Please see http://www.oasis-open.org/who/trademark.php for above guidance.
96
2401.1 Example
241Table 1 shows an "Effective Policy" example, including binding assertions and associated property
242assertions, token assertions and integrity and confidentiality assertions. This example has a scope of
243[Endpoint Policy Subject], but for brevity the attachment mechanism is not shown.
244Table 1: Example security policy.
245(1) <wsp:Policy xmlns:wsp="..." xmlns:sp="...">
246(2) <sp:SymmetricBinding>
247(3) <wsp:Policy>
248(4) <sp:ProtectionToken>
249(5) <wsp:Policy>
250(6) <sp:Kerberos sp:IncludeToken=".../IncludeToken/Once" />
251(7) <wsp:Policy>
252(8) <sp:WSSKerberosV5ApReqToken11/>
253(9) <wsp:Policy>
254(10) </sp:Kerberos>
255(11) </wsp:Policy>
256(12) </sp:ProtectionToken>
257(13) <sp:SignBeforeEncrypting />
258(14) <sp:EncryptSignature />
259(15) </wsp:Policy>
260(16) </sp:SymmetricBinding>
261(17) <sp:SignedParts>
262(18) <sp:Body/>
2841.2 Namespaces
285The XML namespace URI that MUST be used by implementations of this specification is:
286 http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
287
288Table 2 lists XML namespaces that are used in this specification. The choice of any namespace prefix is
289arbitrary and not semantically significant.
290Table 2: Prefixes and XML Namespaces used in this specification.
2951.4 Terminology
296Policy - A collection of policy alternatives.
297Policy Alternative - A collection of policy assertions.
298Policy Assertion - An individual requirement, capability, other property, or a behavior.
299Initiator - The role sending the initial message in a message exchange.
300Recipient - The targeted role to process the initial message in a message exchange.
301Security Binding - A set of properties that together provide enough information to secure a given
302message exchange.
303Security Binding Property - A particular aspect of securing an exchange of messages.
304Security Binding Assertion - A policy assertion that identifies the type of security binding being used to
305secure an exchange of messages.
306Security Binding Property Assertion - A policy assertion that specifies a particular value for a particular
307aspect of securing an exchange of message.
308Assertion Parameter - An element of variability within a policy assertion.
309Token Assertion -Describes a token requirement. Token assertions defined within a security binding are
310used to satisfy protection requirements.
311Supporting Token - A token used to provide additional claims.
656
657The following describes the attributes and elements listed in the schema outlined above:
658/sp:SignedParts
659 This assertion specifies the parts of the message that need integrity protection. If no child
660 elements are specified, all message headers targeted at the UltimateReceiver role [SOAP12] or
661 actor [SOAP11] and the body of the message MUST be integrity protected.
662/sp:SignedParts/sp:Body
663 Presence of this optional empty element indicates that the entire body, that is the soap:Body
664 element, it's attributes and content, of the message needs to be integrity protected.
665/sp:SignedParts/sp:Header
702The following describes the attributes and elements listed in the schema outlined above:
703/sp:SignedElements
704 This assertion specifies the parts of the message that need integrity protection.
705/sp:SignedElements/@XPathVersion
706 This optional attribute contains a URI which indicates the version of XPath to use. If no attribute is
707 provided, then XPath 1.0 is assumed.
708/sp:SignedElements/sp:XPath
735
736The following describes the attributes and elements listed in the schema outlined above:
737/sp:EncryptedParts
738 This assertion specifies the parts of the message that need confidentiality protection. The single
739 child element of this assertion specifies the set of message parts using an extensible dialect.
740 If no child elements are specified, the body of the message MUST be confidentiality protected.
741/sp:EncryptedParts/sp:Body
742 Presence of this optional empty element indicates that the entire body of the message needs to
743 be confidentiality protected. In the case where mechanisms from WSS: SOAP Message Security
744 are used to satisfy this assertion, then the soap:Body element is encrypted using the #Content
745 encryption type.
746/sp:EncryptedParts/sp:Header
747 Presence of this optional element indicates that a specific SOAP header (or set of such headers)
748 needs to be protected. There may be multiple sp:Header elements within a single Parts element.
749 Each header or set of headers MUST be encrypted. Such encryption will encrypt such elements
750 using WSS 1.1 Encrypted Headers. As such, if WSS 1.1 Encrypted Headers are not supported by
751 a service, then this element cannot be used to specify headers that require encryption using
752 message level security. If multiple SOAP headers with the same local name but different
783The following describes the attributes and elements listed in the schema outlined above:
784/sp:EncryptedElements
785 This assertion specifies the parts of the message that need confidentiality protection. Any such
786 elements are subject to #Element encryption.
787/sp:EncryptedElements/@XPathVersion
788 This optional attribute contains a URI which indicates the version of XPath to use. If no attribute is
789 provided, then XPath 1.0 is assumed.
790/sp:EncryptedElements/sp:XPath
791 This element contains a string specifying an XPath expression that identifies the nodes to be
792 confidentiality protected. The XPath expression is evaluated against the S:Envelope element
793 node of the message. Multiple instances of this element may appear within this assertion and
794 should be treated as separate references.
810The following describes the attributes and elements listed in the schema outlined above:
811/sp:ContentEncryptedElements
812 This assertion specifies the parts of the message that need confidentiality protection. Any such
813 elements are subject to #Content encryption.
814/sp:ContentEncryptedElements/@XPathVersion
815 This optional attribute contains a URI which indicates the version of XPath to use.
816/sp:ContentEncryptedElements/sp:XPath
817 This element contains a string specifying an XPath expression that identifies the nodes to be
818 confidentiality protected. The XPath expression is evaluated against the S:Envelope element
819 node of the message. Multiple instances of this element MAY appear within this assertion and
820 should be treated as separate references.
840
841The following describes the attributes and elements listed in the schema outlined above:
842/sp:RequiredElements
843 This assertion specifies the headers elements that MUST appear in a message.
844/sp:RequiredElements/@XPathVersion
845 This optional attribute contains a URI which indicates the version of XPath to use. If no attribute is
846 provided, then XPath 1.0 is assumed.
847/sp:RequiredElements/sp:XPath
848 This element contains a string specifying an XPath expression that identifies the header elements
849 that a message MUST contain. The XPath expression is evaluated against the
850 S:Envelope/S:Header element node of the message. Multiple instances of this element may
851 appear within this assertion and should be treated as a combined XPath expression.
864
865The following describes the attributes and elements listed in the schema outlined above:
866/sp:RequiredParts/sp:Header
867 This assertion specifies the headers elements that MUST be present in the message.
868/sp:RequiredParts/sp:Header/@Name
869 This required attribute indicates the local name of the SOAPHeader that needs to be present in
870 the message.
871/sp:RequiredParts/sp:Header/@Namespace
872 This required attribute indicates the namespace of the SOAP header that needs to be present in
873 the message.
1013
1014The following describes the attributes and elements listed in the schema outlined above:
1015/sp:UsernameToken
1016 This identifies a UsernameToken assertion.
1017/sp:UsernameToken/@sp:IncludeToken
1018 This optional attribute identifies the token inclusion value for this token assertion.
1019/sp:UsernameToken/sp:Issuer
1020 This optional element, of type wsa:EndpointReferenceType, contains reference to the issuer of
1021 the sp:UsernameToken.
1022/sp:UsernameToken/sp:IssuerName
1023 This optional element, of type xs:anyURI, contains the logical name of the sp:UsernameToken
1024 issuer.
1082The following describes the attributes and elements listed in the schema outlined above:
1083/sp:IssuedToken
1084 This identifies an IssuedToken assertion.
1085/sp:IssuedToken/@sp:IncludeToken
1086 This optional attribute identifies the token inclusion value for this token assertion.
1087/sp:IssuedToken/sp:Issuer
1088 This optional element, of type wsa:EndpointReferenceType, contains a reference to the issuer for
1089 the issued token.
1090/sp:IssuedToken/sp:IssuerName
1091 This optional element, of type xs:anyURI, contains the logical name of the sp:IssuedToken issuer.
1092/sp:IssuedToken/wst:Claims
1093 This optional element identifies the required claims that a security token must contain in order to
1094 satisfy the token assertion requirements.
1095/sp:IssuedToken/sp:RequestSecurityTokenTemplate
1096 This required element contains elements which MUST be copied into the
1097 wst:SecondaryParameters of the RST request sent to the specified issuer. Note: the initiator is
1098 not required to understand the contents of this element.
1099 See Appendix B for details of the content of this element.
1100/sp:IssuedToken/sp:RequestSecurityTokenTemplate/@TrustVersion
1101 This optional attribute contains a WS-Trust specification namespace URI identifying the version of
1102 WS-Trust referenced by the contents of this element.
1103/sp:IssuedToken/wsp:Policy
1104 This required element identifies additional requirements for use of the sp:IssuedToken assertion.
1105/sp:IssuedToken/wsp:Policy/sp:RequireDerivedKeys
1106 This optional element is a policy assertion that sets the [Derived Keys], [Explicit Derived Keys]
1107 and [Implied Derived Keys] properties for this token to 'true'.
1108/sp:IssuedToken/wsp:Policy/sp:RequireExplicitDerivedKeys
1109 This optional element is a policy assertion that sets the [Derived Keys] and [Explicit Derived Keys]
1110 properties for this token to 'true' and the [Implied Derived Keys] property for this token to 'false'.
1111/sp:IssuedToken/wsp:Policy/sp:RequireImpliedDerivedKeys
1160
1161The following describes the attributes and elements listed in the schema outlined above:
1162/sp:X509Token
1163 This identifies an X509Token assertion.
91ws-securitypolicy-1.2-spec-os 1 July 2007
92Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 31 of 113
1164/sp:X509Token/@sp:IncludeToken
1165 This optional attribute identifies the token inclusion value for this token assertion.
1166/sp:X509Token/sp:Issuer
1167 This optional element, of type wsa:EndpointReferenceType, contains reference to the issuer of
1168 the sp:X509Token.
1169/sp:X509Token/sp:IssuerName
1170 This optional element, of type xs:anyURI, contains the logical name of the sp:X509Token issuer.
1171/sp:X509Token/wst:Claims
1172 This optional element identifies the required claims that a security token must contain in order to
1173 satisfy the token assertion requirements.
1174/sp:X509Token/wsp:Policy
1175 This required element identifies additional requirements for use of the sp:X509Token assertion.
1176/sp:X509Token/wsp:Policy/sp:RequireDerivedKeys
1177 This optional element is a policy assertion that sets the [Derived Keys], [Explicit Derived Keys]
1178 and [Implied Derived Keys] properties for this token to 'true'.
1179/sp:X509Token/wsp:Policy/sp:RequireExplicitDerivedKeys
1180 This optional element is a policy assertion that sets the [Derived Keys] and [Explicit Derived Keys]
1181 properties for this token to 'true' and the [Implied Derived Keys] property for this token to 'false'.
1182/sp:X509Token/wsp:Policy/sp:RequireImpliedDerivedKeys
1183 This optional element is a policy assertion that sets the [Derived Keys] and [Implied Derived
1184 Keys] properties for this token to 'true' and the [Explicit Derived Keys] property for this token to
1185 'false'.
1186/sp:X509Token/wsp:Policy/sp:RequireKeyIdentifierReference
1187 This optional element is a policy assertion that indicates that a key identifier reference is required
1188 when referencing this token.
1189/sp:X509Token/wsp:Policy/sp:RequireIssuerSerialReference
1190 This optional element is a policy assertion that indicates that an issuer serial reference is required
1191 when referencing this token.
1192/sp:X509Token/wsp:Policy/sp:RequireEmbeddedTokenReference
1193 This optional element is a policy assertion that indicates that an embedded token reference is
1194 required when referencing this token.
1195/sp:X509Token/wsp:Policy/sp:RequireThumbprintReference
1196 This optional element is a policy assertion that indicates that a thumbprint reference is required
1197 when referencing this token.
1198/sp:X509Token/wsp:Policy/sp:WssX509V3Token10
1199 This optional element is a policy assertion that indicates that an X509 Version 3 token should be
1200 used as defined in [WSS:X509TokenProfile1.0].
1201/sp:X509Token/wsp:Policy/sp:WssX509Pkcs7Token10
1202 This optional element is a policy assertion that indicates that an X509 PKCS7 token should be
1203 used as defined in [WSS:X509TokenProfile1.0].
1204/sp:X509Token/wsp:Policy/sp:WssX509PkiPathV1Token10
1240 ...
1241 </wsp:Policy>
1242 ...
1243 </sp:KerberosToken>
1244
1245The following describes the attributes and elements listed in the schema outlined above:
1246/sp:KerberosToken
1247 This identifies a KerberosV5ApReqToken assertion.
1248/sp:KerberosToken/@sp:IncludeToken
1249 This optional attribute identifies the token inclusion value for this token assertion.
1250/sp:KerberosToken/sp:Issuer
1251 This optional element, of type wsa:EndpointReferenceType, contains reference to the issuer of
1252 the sp:KerberosToken.
97ws-securitypolicy-1.2-spec-os 1 July 2007
98Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 33 of 113
1253/sp:KerberosToken/sp:IssuerName
1254 This optional element, of type xs:anyURI, contains the logical name of the sp:KerberosToken
1255 issuer.
1256/sp:KerberosToken/wst:Claims
1257 This optional element identifies the required claims that a security token must contain in order to
1258 satisfy the token assertion requirements.
1259/sp:KerberosToken/wsp:Policy
1260 This required element identifies additional requirements for use of the sp:KerberosToken
1261 assertion.
1262/sp:KerberosToken/wsp:Policy/sp:RequireDerivedKeys
1263 This optional element is a policy assertion that sets the [Derived Keys], [Explicit Derived Keys]
1264 and [Implied Derived Keys] properties for this token to 'true'.
1265/sp:KerberosToken/wsp:Policy/sp:RequireExplicitDerivedKeys
1266 This optional element is a policy assertion that sets the [Derived Keys] and [Explicit Derived Keys]
1267 properties for this token to 'true' and the [Implied Derived Keys] property for this token to 'false'.
1268/sp:KerberosToken/wsp:Policy/sp:RequireImpliedDerivedKeys
1269 This optional element is a policy assertion that sets the [Derived Keys] and [Implied Derived
1270 Keys] properties for this token to 'true' and the [Explicit Derived Keys] property for this token to
1271 'false'.
1272/sp:KerberosToken/wsp:Policy/sp:RequireKeyIdentifierReference
1273 This optional element is a policy assertion that indicates that a key identifier reference is required
1274 when referencing this token.
1275/sp:KerberosToken/wsp:Policy/sp:WssKerberosV5ApReqToken11
1276 This optional element is a policy assertion that indicates that a Kerberos Version 5 AP-REQ token
1277 should be used as defined in [WSS:KerberosTokenProfile1.1].
1278/sp:KerberosToken/wsp:Policy/sp:WssGssKerberosV5ApReqToken11
1279 This optional element is a policy assertion that indicates that a GSS Kerberos Version 5 AP-REQ
1280 token should be used as defined in [WSS:KerberosTokenProfile1.1].
1304
1305The following describes the attributes and elements listed in the schema outlined above:
1306/sp:SpnegoContextToken
1307 This identifies a SpnegoContextToken assertion.
1308/sp:SpnegoContextToken/@sp:IncludeToken
1309 This optional attribute identifies the token inclusion value for this token assertion.
1310/sp:SpnegoContextToken/sp:Issuer
1311 This optional element, of type wsa:EndpointReferenceType, contains a reference to the issuer for
1312 the Spnego Context Token.
1313/sp:SpnegoContextToken/sp:IssuerName
1314 This optional element, of type xs:anyURI, contains the logical name of the
1315 sp:SpnegoContextToken issuer.
1316/sp:SpnegoContextToken/wst:Claims
1317 This optional element identifies the required claims that a security token must contain in order to
1318 satisfy the token assertion requirements.
1319/sp:SpnegoContextToken/wsp:Policy
1320 This required element identifies additional requirements for use of the sp:SpnegoContextToken
1321 assertion.
1322/sp:SpnegoContextToken/wsp:Policy/sp:RequireDerivedKeys
1323 This optional element is a policy assertion that sets the [Derived Keys], [Explicit Derived Keys]
1324 and [Implied Derived Keys] properties for this token to 'true'.
1325/sp:SpnegoContextToken/wsp:Policy/sp:RequireExplicitDerivedKeys
1326 This optional element is a policy assertion that sets the [Derived Keys] and [Explicit Derived Keys]
1327 properties for this token to 'true' and the [Implied Derived Keys] property for this token to 'false'.
1328/sp:SpnegoContextToken/wsp:Policy/sp:RequireImpliedDerivedKeys
1329 This optional element is a policy assertion that sets the [Derived Keys] and [Implied Derived
1330 Keys] properties for this token to 'true' and the [Explicit Derived Keys] property for this token to
1331 'false'.
1332sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendCancel
1333 This optional element is a policy assertion that indicates that the STS issuing the SP/Nego token
1334 does not support SCT/Cancel RST messages. If this assertion is missing it means that
1335 SCT/Cancel RST messages are supported by the STS.
1336/sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendAmend
1337 This optional element is a policy assertion that indicates that the STS issuing the SP/Nego token
1338 does not support SCT/Amend RST messages. If this assertion is missing it means that
1339 SCT/Amend RST messages are supported by the STS.
1340/sp:SpnegoContextToken/wsp:Policy/sp:MustNotSendRenew
1365
1366The following describes the attributes and elements listed in the schema outlined above:
1367/sp:SecurityContextToken
1368 This identifies a SecurityContextToken assertion.
1369/sp:SecurityContextToken/@sp:IncludeToken
1370 This optional attribute identifies the token inclusion value for this token assertion.
1371/sp:SecurityContextToken/sp:Issuer
1372 This optional element, of type wsa:EndpointReferenceType, contains reference to the issuer of
1373 the sp:SecurityContextToken.
1374/sp:SecurityContextToken/sp:IssuerName
1375 This optional element, of type xs:anyURI, contains the logical name of the
1376 sp:SecurityContextToken issuer.
1377/sp:SecurityContextToken/wst:Claims
1378 This optional element identifies the required claims that a security token must contain in order to
1379 satisfy the token assertion requirements.
1380/sp:SecurityContextToken/wsp:Policy
1381 This required element identifies additional requirements for use of the sp:SecurityContextToken
1382 assertion.
1383/sp:SecurityContextToken/wsp:Policy/sp:RequireDerivedKeys
1384 This optional element is a policy assertion that sets the [Derived Keys], [Explicit Derived Keys]
1385 and [Implied Derived Keys] properties for this token to 'true'.
1386/sp:SecurityContextToken/wsp:Policy/sp:RequireExplicitDerivedKeys
RST
Bootstrap Policy
RSTR
Application Request
Outer Policy
...
1416Syntax
1417 <sp:SecureConversationToken sp:IncludeToken="xs:anyURI"? xmlns:sp="..." ... >
1418 (
1419 <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer> |
1420 <sp:IssuerName>xs:anyURI</sp:IssuerName>
1440
1441The following describes the attributes and elements listed in the schema outlined above:
1442/sp:SecureConversationToken
1443 This identifies a SecureConversationToken assertion.
1444/sp:SecureConversationToken/@sp:IncludeToken
1445 This optional attribute identifies the token inclusion value for this token assertion.
1446/sp:SecureConversationToken/sp:Issuer
1447 This optional element, of type wsa:EndpointReferenceType, contains a reference to the issuer for
1448 the Security Context Token.
1449/sp:SecureConversationToken/sp:IssuerName
1450 This optional element, of type xs:anyURI, contains the logical name of the
1451 sp:SecureConversationToken issuer.
1452/sp:SpnegoContextToken/wst:Claims
1453 This optional element identifies the required claims that a security token must contain in order to
1454 satisfy the token assertion requirements.
1455/sp:SecureConversationToken/wsp:Policy
1456 This required element identifies additional requirements for use of the
1457 sp:SecureConversationToken assertion.
1458/sp:SecureConversationToken/wsp:Policy/sp:RequireDerivedKeys
1459 This optional element is a policy assertion that sets the [Derived Keys], [Explicit Derived Keys]
1460 and [Implied Derived Keys] properties for this token to 'true'.
1461/sp:SecureConversationToken/wsp:Policy/sp:RequireExplicitDerivedKeys
1462 This optional element is a policy assertion that sets the [Derived Keys] and [Explicit Derived Keys]
1463 properties for this token to 'true' and the [Implied Derived Keys] property for this token to 'false'.
1464/sp:SecureConversationToken/wsp:Policy/sp:RequireImpliedDerivedKeys
1465 This optional element is a policy assertion that sets the [Derived Keys] and [Implied Derived
1466 Keys] properties for this token to 'true' and the [Explicit Derived Keys] property for this token to
1467 'false'.
1561
1630
1631The following describes the attributes and elements listed in the schema outlined above:
1632/sp:RelToken
1633 This identifies a RelToken assertion.
1634/sp:RelToken/@sp:IncludeToken
1635 This optional attribute identifies the token inclusion value for this token assertion.
1636/sp:RelToken/sp:Issuer
1637 This optional element, of type wsa:EndpointReferenceType, contains reference to the issuer of
1638 the sp:RelToken.
1639/sp:RelToken/sp:IssuerName
1640 This optional element, of type xs:anyURI, contains the logical name of the sp:RelToken issuer.
1641/sp:RelToken/wst:Claims
1642 This optional element identifies the required claims that a security token must contain in order to
1643 satisfy the token assertion requirements.
1644/sp:RelToken/wsp:Policy
1645 This required element identifies additional requirements for use of the sp:RelToken assertion.
1646/sp:RelToken/wsp:Policy/sp:RequireDerivedKeys
1647 This optional element is a policy assertion that sets the [Derived Keys], [Explicit Derived Keys]
1648 and [Implied Derived Keys] property for this token to 'true'.
1649/sp:RelToken/wsp:Policy/sp:RequireExplicitDerivedKeys
1650 This optional element is a policy assertion that sets the [Derived Keys] and [Explicit Derived Keys]
1651 properties for this token to 'true' and the [Implied Derived Keys] property for this token to 'false'.
124ws-securitypolicy-1.2-spec-os 1 July 2007
125Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 42 of 113
1652/sp:RelToken/wsp:Policy/sp:RequireImpliedDerivedKeys
1653 This optional element is a policy assertion that sets the [Derived Keys] and [Implied Derived
1654 Keys] properties for this token to 'true' and the [Explicit Derived Keys] property for this token to
1655 'false'.
1656/sp:RelToken/wsp:Policy/sp:RequireKeyIdentifierReference
1657 This optional element is a policy assertion that indicates that a key identifier reference is required
1658 when referencing this token.
1659/sp:RelToken/wsp:Policy/sp:WssRelV10Token10
1660 This optional element is a policy assertion that identifies that a REL Version 1.0 token should be
1661 used as defined in [WSS:RELTokenProfile1.0].
1662/sp:RelToken/wsp:Policy/sp:WssRelV20Token10
1663 This optional element is a policy assertion that identifies that a REL Version 2.0 token should be
1664 used as defined in [WSS:RELTokenProfile1.0].
1665/sp:RelToken/wsp:Policy/sp:WssRelV10Token11
1666 This optional element is a policy assertion that identifies that a REL Version 1.0 token should be
1667 used as defined in [WSS:RELTokenProfile1.1].
1668/sp:RelToken/wsp:Policy/sp:WssRelV20Token11
1669 This optional element is a policy assertion that identifies that a REL Version 2.0 token should be
1670 used as defined in [WSS:RELTokenProfile1.1].
1671
1672Note: This assertion does not describe how to obtain a REL Token but rather assumes that both parties
1673have the token already or have agreed separately on a mechanism for obtaining the token. If a definition
1674of the mechanism for obtaining the REL Token is desired in policy, the sp:IssuedToken assertion should
1675be used instead.
1696The following describes the attributes and elements listed in the schema outlined above:
1697/sp:HttpsToken
1984
1985The following describes the attributes and elements listed in the schema outlined above:
1986/sp:AlgorithmSuite
1987 This identifies an AlgorithmSuite assertion.
1988/sp:AlgorithmSuite/wsp:Policy
1989 This required element contains one or more policy assertions that indicate the specific algorithm
1990 suite to use.
1991/sp:AlgorithmSuite/wsp:Policy/sp:Basic256
1992 This optional element is a policy assertion that indicates that the [Algorithm Suite] property is set
1993 to 'Basic256'.
2073
2074The following describes the attributes and elements listed in the schema outlined above:
2075/sp:Layout
2076 This identifies a Layout assertion.
2077/sp:Layout/wsp:Policy
2078 This required element contains one or more policy assertions that indicate the specific security
2079 header layout to use.
160ws-securitypolicy-1.2-spec-os 1 July 2007
161Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 54 of 113
2080/sp:Layout/wsp:Policy/sp:Strict
2081 This optional element is a policy assertion that indicates that the [Security Header Layout]
2082 property is set to 'Strict'.
2083/sp:Layout/wsp:Policy/sp:Lax
2084 This optional element is a policy assertion that indicates that the [Security Header Layout]
2085 property is set to 'Lax'.
2086/sp:Layout/wsp:Policy/sp:LaxTsFirst
2087 This optional element is a policy assertion that indicates that the [Security Header Layout]
2088 property is set to 'LaxTimestampFirst'. Note that the [Timestamp] property MUST also be set to
2089 'true' by the presence of an sp:IncludeTimestamp assertion.
2090/sp:Layout/wsp:Policy/sp:LaxTsLast
2091 This optional element is a policy assertion that indicates that the [Security Header Layout]
2092 property is set to 'LaxTimestampLast'. Note that the [Timestamp] property MUST also be set to
2093 'true' by the presence of an sp:IncludeTimestamp assertion.
2114
2115The following describes the attributes and elements listed in the schema outlined above:
2116/sp:TransportBinding
2117 This identifies a TransportBinding assertion.
2118/sp:TransportBinding/wsp:Policy
2119 This indicates a nested wsp:Policy element that defines the behavior of the TransportBinding
2120 assertion.
2121/sp:TransportBinding/wsp:Policy/sp:TransportToken
2122 This required element is a policy assertion that indicates a requirement for a Transport Token.
2123 The specified token populates the [Transport Token] property and indicates how the transport is
2124 secured.
2125/sp:TransportBinding/wsp:Policy/sp:TransportToken/wsp:Policy
163ws-securitypolicy-1.2-spec-os 1 July 2007
164Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 55 of 113
2126 This indicates a nested policy that identifies the type of Transport Token to use.
2127/sp:TransportBinding/wsp:Policy/sp:AlgorithmSuite
2128 This required element is a policy assertion that indicates a value that populates the [Algorithm
2129 Suite] property. See Section 6.1 for more details.
2130/sp:TransportBinding/wsp:Policy/sp:Layout
2131 This optional element is a policy assertion that indicates a value that populates the [Security
2132 Header Layout] property. See Section 6.7 for more details.
2133/sp:TransportBinding/wsp:Policy/sp:IncludeTimestamp
2134 This optional element is a policy assertion that indicates that the [Timestamp] property is set to
2135 'true'.
2171
2172The following describes the attributes and elements listed in the schema outlined above:
2173/sp:SymmetricBinding
2174 This identifies a SymmetricBinding assertion.
2285
2286The following describes the attributes and elements listed in the schema outlined above:
2287/sp:AsymmetricBinding
2288 This identifies a AsymmetricBinding assertion.
2289/sp:AsymmetricBinding/wsp:Policy
2290 This indicates a nested wsp:Policy element that defines the behavior of the AsymmetricBinding
2291 assertion.
2292/sp:AsymmetricBinding/wsp:Policy/sp:InitiatorToken
2293 This optional element is a policy assertion that indicates a requirement for an Initiator Token. The
2294 specified token populates the [Initiator Signature Token] and [Initiator Encryption Token]
2295 properties and is used for the message signature from initiator to recipient, and encryption from
2296 recipient to initiator.
2297/sp:AsymmetricBinding/wsp:Policy/sp:InitiatorToken/wsp:Policy
2298 The policy contained here MUST identify one or more token assertions.
2299/sp:AsymmetricBinding/wsp:Policy/sp:InitiatorToken/wsp:Policy/sp:InitiatorSignatureToken
2300 This optional element is a policy assertion that indicates a requirement for an Initiator Signature
2301 Token. The specified token populates the [Initiator Signature Token] property and is used for the
2302 message signature from initiator to recipient.
2303/sp:AsymmetricBinding/wsp:Policy/sp:InitiatorToken/wsp:Policy/sp:InitiatorSignatureToken/wsp:Policy
2304 The policy contained here MUST identify one or more token assertions.
2305/sp:AsymmetricBinding/wsp:Policy/sp:InitiatorToken/wsp:Policy/sp:InitiatorEncryptionToken
2306 This optional element is a policy assertion that indicates a requirement for an Initiator Encryption
2307 Token. The specified token populates the [Initiator Encryption Token] property and is used for the
2308 message encryption from recipient to initiator.
2309/sp:AsymmetricBinding/wsp:Policy/sp:InitiatorToken/wsp:Policy/sp:InitiatorEncryptionToken/wsp:Policy
2310 The policy contained here MUST identify one or more token assertions.
2311/sp:AsymmetricBinding/wsp:Policy/sp:RecipientToken
2312 This optional element is a policy assertion that indicates a requirement for a Recipient Token. The
2313 specified token populates the [Recipient Signature Token] and [Recipient Encryption Token]
Header1
Header2
Body
2386
Header1
Header2
Security
TS
Sig1
Body
2392
2393Note: if required, the initiator may also include in the Security header the token used as the basis for the
2394message signature (Sig1), not shown in the diagram.
2395If transport security is used, only the message timestamp (TS) is included in the Security header as
2396illustrated below. The “message signature” is provided by the underlying transport protocol and is not part
2397of the message XML.
Header1
Header2
Security
TS
Body
2398
2421
2422The following describes the attributes and elements listed in the schema outlined above:
2423/sp:SupportingTokens
2424 This identifies a SupportingTokens assertion. The specified tokens populate the [Supporting
2425 Tokens] property.
2426/sp:SupportingTokens/wsp:Policy
2427 This describes additional requirements for satisfying the SupportingTokens assertion.
2428/sp:SupportingTokens/wsp:Policy/[Token Assertion]
2429 The policy MUST identify one or more token assertions.
2430/sp:SupportingTokens/wsp:Policy/sp:AlgorithmSuite
2431 This optional element is a policy assertion that follows the schema outlined in Section 7.1 and
2432 describes the algorithms to use for cryptographic operations performed with the tokens identified
2433 by this policy assertion.
2434/sp:SupportingTokens/wsp:Policy/sp:SignedParts
2435 This optional element is a policy assertion that follows the schema outlined in Section 4.1.1 and
2436 describes additional message parts that MUST be included in the signature generated with the
2437 token identified by this policy assertion.
2438/sp:SupportingTokens/wsp:Policy/sp:SignedElements
2439 This optional element is a policy assertion that follows the schema outlined in Section 4.1.2 and
2440 describes additional message elements that MUST be included in the signature generated with
2441 the token identified by this policy assertion.
2442/sp:SupportingTokens/wsp:Policy/sp:EncryptedParts
2443 This optional element is a policy assertion that follows the schema outlined in Section 4.2.1 and
2444 describes additional message parts that MUST be encrypted using the token identified by this
2445 policy assertion.
2446/sp:SupportingTokens/wsp:Policy/sp:EncryptedElements
2447 This optional element is a policy assertion that follows the schema outlined in Section 4.2.2 and
2448 describes additional message elements that MUST be encrypted using the token identified by this
2449 policy assertion.
Header2
Security
TS
Tok2
Sig1
Body
2455
2456If transport security is used, the token (Tok2) is included in the Security header as illustrated below:
2457
Header1
Header2
Security
TS
Tok2
Body
2458
2459Syntax
2460 <sp:SignedSupportingTokens xmlns:sp="..." ... >
2461 <wsp:Policy xmlns:wsp="...">
2462 [Token Assertion]+
2463 <sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite> ?
2464 (
2465 <sp:SignedParts ... > ... </sp:SignedParts> |
2466 <sp:SignedElements ... > ... </sp:SignedElements> |
2467 <sp:EncryptedParts ... > ... </sp:EncryptedParts> |
2468 <sp:EncryptedElements ... > ... </sp:EncryptedElements>
2469 ) *
2470 ...
2471 </wsp:Policy>
2472 ...
2473 </sp:SignedSupportingTokens>
2474
2475The following describes the attributes and elements listed in the schema outlined above:
2476/sp:SignedSupportingTokens
2477 This identifies a SignedSupportingTokens assertion. The specified tokens populate the [Signed
2478 Supporting Tokens] property.
2479/sp:SignedSupportingTokens/wsp:Policy
190ws-securitypolicy-1.2-spec-os 1 July 2007
191Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 64 of 113
2480 This describes additional requirements for satisfying the SignedSupportingTokens assertion.
2481/sp:SignedSupportingTokens/wsp:Policy/[Token Assertion]
2482 The policy MUST identify one or more token assertions.
2483/sp:SignedSupportingTokens/wsp:Policy/sp:AlgorithmSuite
2484 This optional element is a policy assertion that follows the schema outlined in Section 7.1 and
2485 describes the algorithms to use for cryptographic operations performed with the tokens identified
2486 by this policy assertion.
2487/sp:SignedSupportingTokens/wsp:Policy/sp:SignedParts
2488 This optional element is a policy assertion that follows the schema outlined in Section 4.1.1 and
2489 describes additional message parts that MUST be included in the signature generated with the
2490 token identified by this policy assertion.
2491/sp:SignedSupportingTokens/wsp:Policy/sp:SignedElements
2492 This optional element is a policy assertion that follows the schema outlined in Section 4.1.2 and
2493 describes additional message elements that MUST be included in the signature generated with
2494 the token identified by this policy assertion.
2495/sp:SignedSupportingTokens/wsp:Policy/sp:EncryptedParts
2496 This optional element is a policy assertion that follows the schema outlined in Section 4.2.1 and
2497 describes additional message parts that MUST be encrypted using the token identified by this
2498 policy assertion.
2499/sp:SignedSupportingTokens/wsp:Policy/sp:EncryptedElements
2500 This optional element is a policy assertion that follows the schema outlined in Section 4.2.2 and
2501 describes additional message elements that MUST be encrypted using the token identified by this
2502 policy assertion.
Header1
Header2
Security
TS
Sig1
Sig2
Body
2509
2510If transport security is used, the signature (Sig2) MUST cover the message timestamp as illustrated
2511below:
193ws-securitypolicy-1.2-spec-os 1 July 2007
194Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 65 of 113
2512
Header1
Header2
Security
TS
Sig2
Body
2513
2514Syntax
2515 <sp:EndorsingSupportingTokens xmlns:sp="..." ... >
2516 <wsp:Policy xmlns:wsp="...">
2517 [Token Assertion]+
2518 <sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite> ?
2519 (
2520 <sp:SignedParts ... > ... </sp:SignedParts> |
2521 <sp:SignedElements ... > ... </sp:SignedElements> |
2522 <sp:EncryptedParts ... > ... </sp:EncryptedParts> |
2523 <sp:EncryptedElements ... > ... </sp:EncryptedElements>
2524 ) *
2525 ...
2526 </wsp:Policy>
2527 ...
2528 </sp:EndorsingSupportingTokens>
2529
2530The following describes the attributes and elements listed in the schema outlined above:
2531/sp:EndorsingSupportingTokens
2532 This identifies an EndorsingSupportingTokens assertion. The specified tokens populate the
2533 [Endorsing Supporting Tokens] property.
2534/sp:EndorsingSupportingTokens/wsp:Policy
2535 This describes additional requirements for satisfying the EndorsingSupportingTokens assertion.
2536/sp:EndorsingSupportingTokens/wsp:Policy/[Token Assertion]
2537 The policy MUST identify one or more token assertions.
2538/sp:EndorsingSupportingTokens/wsp:Policy/sp:AlgorithmSuite
2539 This optional element is a policy assertion that follows the schema outlined in Section 7.1 and
2540 describes the algorithms to use for cryptographic operations performed with the tokens identified
2541 by this policy assertion.
2542/sp:EndorsingSupportingTokens/wsp:Policy/sp:SignedParts
2543 This optional element is a policy assertion that follows the schema outlined in Section 4.1.1 and
2544 describes additional message parts that MUST be included in the signature generated with the
2545 token identified by this policy assertion.
2546/sp:EndorsingSupportingTokens/wsp:Policy/sp:SignedElements
Header1
Header2
Security
TS
Tok2
Sig1
Sig2
Body
2566
2567If transport security is used, the token (Tok2) is included in the Security header and the signature (Sig2)
2568should cover the message timestamp as illustrated below:
2569
Header2
Security
TS
Tok2
Sig2
Body
2570
2571Syntax
2572 <sp:SignedEndorsingSupportingTokens xmlns:sp="..." ... >
2573 <wsp:Policy xmlns:wsp="...">
2574 [Token Assertion]+
2575 <sp:AlgorithmSuite ... > ... </sp:AlgorithmSuite> ?
2576 (
2577 <sp:SignedParts ... > ... </sp:SignedParts> |
2578 <sp:SignedElements ... > ... </sp:SignedElements> |
2579 <sp:EncryptedParts ... > ... </sp:EncryptedParts> |
2580 <sp:EncryptedElements ... > ... </sp:EncryptedElements>
2581 ) *
2582 ...
2583 </wsp:Policy>
2584 ...
2585 </sp:SignedEndorsingSupportingTokens>
2586
2587The following describes the attributes and elements listed in the schema outlined above:
2588/sp:SignedEndorsingSupportingTokens
2589 This identifies a SignedEndorsingSupportingTokens assertion. The specified tokens populate the
2590 [Signed Endorsing Supporting Tokens] property.
2591/sp:SignedEndorsingSupportingTokens/wsp:Policy
2592 This describes additional requirements for satisfying the EndorsingSupportingTokens assertion.
2593/sp:SignedEndorsingSupportingTokens/wsp:Policy/[Token Assertion]
2594 The policy MUST identify one or more token assertions.
2595/sp:SignedEndorsingSupportingTokens/wsp:Policy/sp:AlgorithmSuite
2596 This optional element is a policy assertion that follows the schema outlined in Section 7.1 and
2597 describes the algorithms to use for cryptographic operations performed with the tokens identified
2598 by this policy assertion.
2599/sp:SignedEndorsingSupportingTokens/wsp:Policy/sp:SignedParts
2600 This optional element is a policy assertion that follows the schema outlined in Section 4.1.1 and
2601 describes additional message parts that MUST be included in the signature generated with the
2602 token identified by this policy assertion.
2603/sp:SignedEndorsingSupportingTokens/wsp:Policy/sp:SignedElements
26618.10 Example
2662Example policy containing supporting token assertions:
2663 <!-- Example Endpoint Policy -->
2664 <wsp:Policy xmlns:wsp="...">
2665 <sp:SymmetricBinding xmlns:sp="...">
2666 <wsp:Policy>
2667 <sp:ProtectionToken>
2668 <sp:IssuedToken sp:IncludeToken=".../IncludeToken/Once" >
2669 <sp:Issuer>...</sp:Issuer>
2670 <sp:RequestSecurityTokenTemplate>
2671 ...
2672 </sp:RequestSecurityTokenTemplate>
2673 </sp:IssuedToken>
2674 </sp:ProtectionToken>
2675 <sp:AlgorithmSuite>
2676 <wsp:Policy>
2677 <sp:Basic256 />
2678 </wsp:Policy>
2679 </sp:AlgorithmSuite>
2680 ...
2681 </wsp:Policy>
2682 </sp:SymmetricBinding>
2683 ...
2684 <sp:SignedSupportingTokens>
2685 <wsp:Policy>
2686 <sp:UsernameToken sp:IncludeToken=".../IncludeToken/Once" />
2687 </wsp:Policy>
2688 </sp:SignedSupportingTokens>
2689 <sp:SignedEndorsingSupportingTokens>
2690 <wsp:Policy>
2691 <sp:X509Token sp:IncludeToken=".../IncludeToken/Once" >
2692 <wsp:Policy>
2700The sp:SignedSupportingTokens assertion in the above policy indicates that a Username Token must be
2701included in the security header and covered by the message signature. The
2702sp:SignedEndorsingSupportingTokens assertion indicates that an X509 certificate must be included in the
2703security header and covered by the message signature. In addition, a signature over the message
2704signature based on the key material associated with the X509 certificate must be included in the security
2705header.
2827
2828The following describes the attributes and elements listed in the schema outlined above:
2829/sp:Wss11
2830 This identifies an WSS11 assertion.
2831/sp:Wss11/wsp:Policy
2832 This indicates a policy that controls WSS: SOAP Message Security 1.1 options.
2833/sp:Wss11/wsp:Policy/sp:MustSupportRefKeyIdentifier
2834 This optional element is a policy assertion indicates that the [Key Identifier References] property
2835 is set to 'true'.
2918
2919The following describes the attributes and elements listed in the schema outlined above:
2920/sp:Trust13
2921 This identifies a Trust13 assertion.
2922/sp:Trust13/wsp:Policy
2923 This indicates a policy that controls WS-Trust 1.3 options.
2924/sp:Trust13/wsp:Policy/sp:MustSupportClientChallenge
2925 This optional element is a policy assertion indicates that the [Client Challenge] property is set to
2926 'true'.
2927/sp:Trust13/wsp:Policy/sp:MustSupportServerChallenge
2928 This optional element is a policy assertion indicates that the [Server Challenge] property is set to
2929 'true'.
2930/sp:Trust13/wsp:Policy/sp:RequireClientEntropy
2931 This optional element is a policy assertion indicates that the [Client Entropy] property is set to
2932 'true'.
2933/sp:Trust13/wsp:Policy/sp:RequireServerEntropy
2934 This optional element is a policy assertion indicates that the [Server Entropy] property is set to
2935 'true'.
2936/sp:Trust13/wsp:Policy/sp:MustSupportIssuedTokens
2937 This optional element is a policy assertion indicates that the [Issued Tokens] property is set to
2938 'true'.
2939/sp:Trust13/wsp:Policy/sp:RequireRequestSecurityTokenCollection
2977then design 1. would generally be prefered because it allows the policy matching logic to provide more
2978accurate matches between policies.
2979
2980A good example of design 1 is the token assertions defined in Section 5. The section defines 10 distinct
2981token assertions, rather than a single sp:Token assertion with, for example, a TokenType attribute. These
2982distinct token assertions make policy matching much more useful as less false positives are generated
2983when performing policy matching.
2984
2985There are cases where using attributes or child elements as parameters in assertion design is
2986reasonable. Examples include cases when implementations are expected to understand all the values for
Client Parameters
STS Parameters
3110
3111The client-specific parameters of the Issued Token policy assertion along with the remainder of the server
3112policy are consumed by the client. The STS specific parameters of the Issued Token policy assertion are
3113passed on to the STS by copying the parameters directly into the wst:SecondaryParameters of the
3114RST request sent by the Client to the STS as illustrated in the figure below.
3115
STS
3 2
1
Client Server
Server Policy
3116
3117Before the Client sends the RST to the STS, it will need to obtain the policy for the STS. This will help to
3118formulate the RST request and will include any security-specific requirements of the STS.
3119
3120The Client may augment or replace the contents of the RST made to the STS based on the Client-specific
3121parameters received from the Issued Token policy assertion contained in the Server policy, from policy it
3122received for the STS, or any other local parameters.
3123
253ws-securitypolicy-1.2-spec-os 1 July 2007
254Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 85 of 113
3124The Issued Token Policy Assertion contains elements which must be understood by the Client. The
3125assertion contains one element which contains a list of arbitrary elements which should be sent along to
3126the STS by copying the elements as-is directly into the wst:SecondaryParameters of the RST
3127request sent by the Client to the STS following the protocol defined in WS-Trust.
3128
3129Elements inside the sp:RequestSecurityTokenTemplate element MUST conform to WS-Trust [WS-
3130Trust]. All items are optional, since the Server and STS may already have a pre-arranged relationship
3131which specifies some or all of the conditions and constraints for issued tokens.
3137C.1.1 Policy
3138The following example shows a policy indicating a Transport Binding, an Https Token as the Transport
3139Token, an algorithm suite, a requirement to include tokens in the supporting signatures, a username
3140token attached to the message, and finally an X509 token attached to the message and endorsing the
3141message signature. No message protection requirements are described since the transport covers all
3142message parts.
3143 <wsp:Policy xmlns:wsp="..." xmlns:sp="...">
3144 <sp:TransportBinding>
3145 <wsp:Policy>
3146 <sp:TransportToken>
3147 <wsp:Policy>
3148 <sp:HttpsToken />
3149 </wsp:Policy>
3150 </sp:TransportToken>
3151 <sp:AlgorithmSuite>
3152 <wsp:Policy>
3153 <sp:Basic256 />
3154 </wsp:Policy>
3155 </sp:AlgorithmSuite>
3156 <sp:Layout>
3157 <wsp:Policy>
3158 <sp:Strict />
3159 </wsp:Policy>
3160 </sp:Layout>
3161 <sp:IncludeTimestamp />
3162 </wsp:Policy>
3163 </sp:TransportBinding>
3164 <sp:SignedSupportingTokens>
3165 <wsp:Policy>
3166 <sp:UsernameToken sp:IncludeToken=".../IncludeToken/Once" />
3167 </wsp:Policy>
3168 </sp:SignedSupportingTokens>
3169 <sp:SignedEndorsingSupportingTokens>
3170 <wsp:Policy>
3171 <sp:X509Token sp:IncludeToken=".../IncludeToken/Once">
3172 <wsp:Policy>
3173 <sp:WssX509v3Token10 />
3174 </wsp:Policy>
3175 </sp:X509Token>
3176 </wsp:Policy>
3177 </sp:SignedEndorsingSupportingTokens>
3178 <sp:Wss11>
3179 <sp:RequireSignatureConfirmation />
3180 </sp:Wss11>
3181 </wsp:Policy>
Header2
Security
TS
ST1
ST2
Sig2
Body
3202
3203The outer box shows that the entire message is protected (signed and encrypted) by the transport. The
3204arrows on the left from the box labeled Sig2 indicate the parts signed by the supporting token labeled ST2,
3205namely the message timestamp labeled TS and the token used as the basis for the signature labeled ST 2.
3206The dotted arrow indicates the token that was used as the basis for the signature. In general, the ordering
3207of the items in the security header follows the most optimal layout for a receiver to process its contents.
3208Example:
3209Initiator to recipient message
Header2
Security
TS
SC1
Body
3255
3256The outer box shows that the entire message is protected (signed and encrypted) by the transport. One
3257wsse11:SignatureConfirmation element labeled SC1 corresponding to the signature in the initial
3258message illustrated previously is included. In general, the ordering of the items in the security header
3259follows the most optimal layout for a receiver to process its contents.
3260Example:
3261Recipient to initiator message
3262 <S:Envelope xmlns:S="..." xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="...">
3263 <S:Header>
3264 ...
3265 <wsse:Security>
3266 <wsu:Timestamp wsu:Id="timestamp">
3267 <wsu:Created>[datetime]</wsu:Created>
3268 <wsu:Expires>[datetime]</wsu:Expires>
3269 </wsu:Timestamp>
3270 <wsse11:SignatureConfirmation Value="..." />
3271 ...
3272 </wsse:Security>
3273 ...
3274 </S:Header>
3275 <S:Body>
3276 ...
3277 </S:Body>
3278 </S:Envelope>
3350This policy is used as the basis for the examples shown in the subsequent section describing the security
3351header layout for this binding.
Header1 Header1
Header2
Header2
Security
Security
TS
TS
ST1
ST1
Ref1
Ref1
ST3
ST3
ST2
ST2
Sig1
Sig1
Sig2
Sig2
Ref1
Body Body
3388
3389The arrows on the right indicate parts that were signed as part of the message signature labeled Sig 1. The
3390dashed arrows on the left from the box labeled Sig2 indicate the parts signed by the supporting token
3391labeled ST2, namely the message signature labeled Sig1 and the token used as the basis for the signature
3392labeled ST2. The arrows on the left from boxes labeled Ref1 indicate references to parts encrypted using a
3393key based on the Shared Secret Token labeled ST1. The dotted arrows inside the box labeled Security
3394indicate the token that was used as the basis for each cryptographic operation. In general, the ordering of
3395the items in the security header follows the most optimal layout for a receiver to process its contents.
3396Example:
280ws-securitypolicy-1.2-spec-os 1 July 2007
281Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 94 of 113
3397Initiator to recipient message using EncryptBeforeSigning:
3398 <S:Envelope xmlns:S="..." xmlns:x="..." xmlns:wsu="..."
3399 xmlns:wsse11="..." xmlns:wsse="..." xmlns:saml="..."
3400 xmlns:xenc="..." xmlns:ds="...">
3401 <S:Header>
3402 <x:Header1 wsu:Id="Header1" >
3403 ...
3404 </x:Header1>
Header1 Header1
Header2 Header2
Security
Security
TS
TS
Ref1
Ref1
SC2
SC2
SC1
SC1
Sig1
Sig1
Ref1
Body Body
3537
3538The arrows on the right indicate parts that were signed as part of the message signature labeled Sig 1. The
3539arrows on the left from boxes labeled Ref1 indicate references to parts encrypted using a key based on
3540the [SharedSecret Token] (not shown in these diagrams as it is referenced as an external token). Two
292ws-securitypolicy-1.2-spec-os 1 July 2007
293Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 98 of 113
3541wsse11:SignatureConfirmation elements labeled SC1 and SC2 corresponding to the two signatures
3542in the initial message illustrated previously is included. In general, the ordering of the items in the security
3543header follows the most optimal layout for a receiver to process its contents. The rules used to determine
3544this ordering are described in Appendix C.
3545Example:
3546Recipient to initiator message using EncryptBeforeSigning:
3547 <S:Envelope>
3548 <S:Header>
3549 <x:Header1 wsu:Id="Header1" >
3550 ...
3551 </x:Header1>
3552 <wsse11:EncryptedHeader wsu:Id="enc_Header2">
3553 <!-- Plaintext Header2
3554 <x:Header2 wsu:Id="Header2" >
3555 ...
3556 </x:Header2>
3557 -->
3558 ...
3559 </wsse11:EncryptedHeader>
3560 ...
3561 <wsse:Security>
3562 <wsu:Timestamp wsu:Id="Timestamp">
3563 <wsu:Created>...</wsu:Created>
3564 <wsu:Expires>...</wsu:Expires>
3565 </wsu:Timestamp>
3566 <xenc:ReferenceList>
3567 <xenc:DataReference URI="#enc_Signature" />
3568 <xenc:DataReference URI="#enc_SigConf1" />
3569 <xenc:DataReference URI="#enc_SigConf2" />
3570 ...
3571 </xenc:ReferenceList>
3572 <xenc:EncryptedData ID="enc_SigConf1" >
3573 <!-- Plaintext SignatureConfirmation
3574 <wsse11:SignatureConfirmation wsu:Id="SigConf1" >
3575 ...
3576 </wsse11:SignatureConfirmation>
3577 -->
3578 ...
3579 </xenc:EncryptedData>
3580 <xenc:EncryptedData ID="enc_SigConf2" >
3581 <!-- Plaintext SignatureConfirmation
3582 <wsse11:SignatureConfirmation wsu:Id="SigConf2" >
3583 ...
3584 </wsse11:SignatureConfirmation>
3585 -->
3586 ...
3587 </xenc:EncryptedData>
3639C.3.1 Policy
3640The following example shows a policy indicating an Asymmetric Binding, an X509 token as the [Initiator
3641Token], an X509 token as the [Recipient Token], an algorithm suite, a requirement to encrypt the
3642message parts before signing, a requirement to encrypt the message signature, a requirement to include
3643tokens in the message signature and the supporting signatures, a requirement to include
3698
3711
3712This policy is used as the basis for the examples shown in the subsequent section describing the security
3713header layout for this binding.
Header1 Header1
Header2 Header2
Security Security
TS TS
ST1 ST1
EK1 EK1
ST4 ST4
ST3 ST3
ST2 ST2
Sig2 Sig2
Sig3 Sig3
Ref1
Body
Body
3748
3749The arrows on the right indicate parts that were signed as part of the message signature labeled Sig 2
3750using the [Initiator Token] labeled ST2. The dashed arrows on the left from the box labeled Sig3 indicate
3751the parts signed by the supporting token ST3, namely the message signature Sig2 and the token used as
3752the basis for the signature labeled ST3. The arrows on the left from boxes labeled EK1 indicate references
3753to parts encrypted using a key encrypted for the [Recipient Token] labeled ST 1. The arrows on the left
3754from boxes labeled Ref1 indicate additional references to parts encrypted using the key contained in the
3755encrypted key labeled EK1. The dotted arrows inside the box labeled Security indicate the token used as
3756the basis for each cryptographic operation. In general, the ordering of the items in the security header
3757follows the most optimal layout for a receiver to process its contents. The rules used to determine this
3758ordering are described in Appendix C.
3759
3760Note: In most typical scenarios, the recipient key is not included in the message, but rather the encrypted
3761key contains an external reference to the token containing the encryption key. The diagram illustrates how
307ws-securitypolicy-1.2-spec-os 1 July 2007
308Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 103 of 113
3762one might attach a security token related to the encrypted key for completeness. One possible use-case
3763for this approach might be a stack which does not support the STR Dereferencing Transform, but wishes
3764to include the encryption token in the message signature.
3765Initiator to recipient message Example
3766 <S:Envelope xmlns:S="..." xmlns:x="..." xmlns:wsu="..."
Header1 Header1
Header2 Header2
Security Security
TS TS
ST1 ST1
EK1 EK1
SC2 SC2
SC1 SC1
ST2 ST2
Sig2 Sig2
Ref1
Body
Body
3897
3898The arrows on the right indicate parts that were signed as part of the message signature labeled Sig 2
3899using the [Recipient Token] labeled ST2. The arrows on the left from boxes labeled EK1 indicate
3900references to parts encrypted using a key encrypted for the [Recipient Token] labeled ST 1. The arrows on
3901the left from boxes labeled Ref1 indicate additional references to parts encrypted using the key contained
3902in the encrypted key labeled EK1. The dotted arrows inside the box labeled Security indicate the token
3903used as the basis for each cryptographic operation. Two wsse11:SignatureConfirmation elements
3904labeled SC1 and SC2 corresponding to the two signatures in the initial message illustrated previously is
319ws-securitypolicy-1.2-spec-os 1 July 2007
320Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 107 of 113
3905included. In general, the ordering of the items in the security header follows the most optimal layout for a
3906receiver to process its contents. The rules used to determine this ordering are described in Appendix C.
3907Recipient to initiator message Example:
3908 <S:Envelope xmlns:S="..." xmlns:x="..." xmlns:wsu="..."
3909 xmlns:wsse11="..." xmlns:wsse="..."
3910 xmlns:xenc="..." xmlns:ds="...">
3911 <S:Header>
3912 <x:Header1 wsu:Id="Header1" >
3913 ...
3914 </x:Header1>
3915 <wsse11:EncryptedHeader wsu:Id="enc_Header2">
3916 <!-- Plaintext Header2
3917 <x:Header2 wsu:Id="Header2" >
3918 ...
3919 </x:Header2>
3920 -->
3921 ...
3922 </wsse11:EncryptedHeader>
3923 ...
3924 <wsse:Security>
3925 <wsu:Timestamp wsu:Id="Timestamp">
3926 <wsu:Created>...</wsu:Created>
3927 <wsu:Expires>...</wsu:Expires>
3928 </wsu:Timestamp>
3929 <wsse:BinarySecurityToken wsu:Id="InitiatorToken" >
3930 ...
3931 </wsse:BinarySecurityToken>
3932 <xenc:EncryptedKey wsu:Id="InitiatorEncryptedKey" >
3933 ...
3934 <xenc:ReferenceList>
3935 <xenc:DataReference URI="#enc_Signature" />
3936 <xenc:DataReference URI="#enc_SigConf1" />
3937 <xenc:DataReference URI="#enc_SigConf2" />
3938 ...
3939 </xenc:ReferenceList>
3940 </xenc:EncryptedKey>
3941 <xenc:EncryptedData ID="enc_SigConf2" >
3942 <!-- Plaintext SignatureConfirmation
3943 <wsse11:SignatureConfirmation wsu:Id="SigConf2" ...>
3944 ...
3945 </wsse11:SignatureConfirmation>
3946 -->
3947 ...
3948 </xenc:EncryptedData>
3949 <xenc:EncryptedData ID="enc_SigConf1" >
3950 <!-- Plaintext SignatureConfirmation
3951 <wsse11:SignatureConfirmation wsu:Id="SigConf1" ...>
3952 ...
3953 </wsse11:SignatureConfirmation>
3954 -->
3955 ...
3956 </xenc:EncryptedData>
3957 <wsse:BinarySecurityToken wsu:Id="RecipientToken" >
3958 ...
3959 </wsse:BinarySecurityToken>
4033The following individuals have participated in the creation of this specification and are gratefully
4034acknowledged:
4035Original Authors of the intial contribution:
4036 Giovanni Della-Libera, Microsoft
4037 Martin Gudgin, Microsoft
4038 Phillip Hallam-Baker, VeriSign
4039 Maryann Hondo, IBM
4040 Hans Granqvist, Verisign
4041 Chris Kaler, Microsoft (editor)
4042 Hiroshi Maruyama, IBM
4043 Michael McIntosh, IBM
4044 Anthony Nadalin, IBM (editor)
4045 Nataraj Nagaratnam, IBM
4046 Rob Philpott, RSA Security
4047 Hemma Prafullchandra, VeriSign
4048 John Shewchuk, Microsoft
4049 Doug Walter, Microsoft
4050 Riaz Zolfonoon, RSA Security
4051
4052Original Acknowledgements of the initial contribution:
4053 Vaithialingam B. Balayoghan, Microsoft
4054 Francisco Curbera, IBM
4055 Christopher Ferris, IBM
4056 Cédric Fournet, Microsoft
4057 Andy Gordon, Microsoft
4058 Tomasz Janczuk, Microsoft
4059 David Melgar, IBM
4060 Mike Perks, IBM
4061 Bruce Rich, IBM
4062 Jeffrey Schlimmer, Microsoft
4063 Chris Sharp, IBM
4064 Kent Tamura, IBM
4065 T.R. Vishwanath, Microsoft
4066 Elliot Waingold, Microsoft
4067
4068TC Members during the development of this specification:
4069 Don Adams, Tibco Software Inc.
4070 Jan Alexander, Microsoft Corporation
4071 Steve Anderson, BMC Software
4072 Donal Arundel, IONA Technologies
4073 Howard Bae, Oracle Corporation
4074 Abbie Barbir, Nortel Networks Limited
4075 Charlton Barreto, Adobe Systems
4076 Mighael Botha, Software AG, Inc.
4077 Toufic Boubez, Layer 7 Technologies Inc.
4078 Norman Brickman, Mitre Corporation
331ws-securitypolicy-1.2-spec-os 1 July 2007
332Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 111 of 113
4079 Melissa Brumfield, Booz Allen Hamilton
4080 Lloyd Burch, Novell
4081 Scott Cantor, Internet2
4082 Greg Carpenter, Microsoft Corporation
4083 Steve Carter, Novell
4084 Symon Chang, BEA Systems, Inc.
4085 Ching-Yun (C.Y.) Chao, IBM
4086 Martin Chapman, Oracle Corporation
4087 Kate Cherry, Lockheed Martin
4088 Henry (Hyenvui) Chung, IBM
4089 Luc Clement, Systinet Corp.
4090 Paul Cotton, Microsoft Corporation
4091 Glen Daniels, Sonic Software Corp.
4092 Peter Davis, Neustar, Inc.
4093 Martijn de Boer, SAP AG
4094 Werner Dittmann, Siemens AG
4095 Abdeslem DJAOUI, CCLRC-Rutherford Appleton Laboratory
4096 Fred Dushin, IONA Technologies
4097 Petr Dvorak, Systinet Corp.
4098 Colleen Evans, Microsoft Corporation
4099 Ruchith Fernando, WSO2
4100 Mark Fussell, Microsoft Corporation
4101 Vijay Gajjala, Microsoft Corporation
4102 Marc Goodner, Microsoft Corporation
4103 Hans Granqvist, VeriSign
4104 Martin Gudgin, Microsoft Corporation
4105 Tony Gullotta, SOA Software Inc.
4106 Jiandong Guo, Sun Microsystems
4107 Phillip Hallam-Baker, VeriSign
4108 Patrick Harding, Ping Identity Corporation
4109 Heather Hinton, IBM
4110 Frederick Hirsch, Nokia Corporation
4111 Jeff Hodges, Neustar, Inc.
4112 Will Hopkins, BEA Systems, Inc.
4113 Alex Hristov, Otecia Incorporated
4114 John Hughes, PA Consulting
4115 Diane Jordan, IBM
4116 Venugopal K, Sun Microsystems
4117 Chris Kaler, Microsoft Corporation
4118 Dana Kaufman, Forum Systems, Inc.
4119 Paul Knight, Nortel Networks Limited
4120 Ramanathan Krishnamurthy, IONA Technologies
4121 Christopher Kurt, Microsoft Corporation
4122 Kelvin Lawrence, IBM
4123 Hubert Le Van Gong, Sun Microsystems
4124 Jong Lee, BEA Systems, Inc.
4125 Rich Levinson, Oracle Corporation
4126 Tommy Lindberg, Dajeil Ltd.
4127 Mark Little, JBoss Inc.
4128 Hal Lockhart, BEA Systems, Inc.
4129 Mike Lyons, Layer 7 Technologies Inc.
4130 Eve Maler, Sun Microsystems
4131 Ashok Malhotra, Oracle Corporation
4132 Anand Mani, CrimsonLogic Pte Ltd
4133 Jonathan Marsh, Microsoft Corporation
4134 Robin Martherus, Oracle Corporation
334ws-securitypolicy-1.2-spec-os 1 July 2007
335Copyright © OASIS® 1993–2007. All Rights Reserved. OASIS trademark, IPR and other policies apply. Page 112 of 113
4135 Miko Matsumura, Infravio, Inc.
4136 Gary McAfee, IBM
4137 Michael McIntosh, IBM
4138 John Merrells, Sxip Networks SRL
4139 Jeff Mischkinsky, Oracle Corporation
4140 Prateek Mishra, Oracle Corporation
4141 Bob Morgan, Internet2
4142 Vamsi Motukuru, Oracle Corporation
4143 Raajmohan Na, EDS
4144 Anthony Nadalin, IBM
4145 Andrew Nash, Reactivity, Inc.
4146 Eric Newcomer, IONA Technologies
4147 Duane Nickull, Adobe Systems
4148 Toshihiro Nishimura, Fujitsu Limited
4149 Rob Philpott, RSA Security
4150 Denis Pilipchuk, BEA Systems, Inc.
4151 Darren Platt, Ping Identity Corporation
4152 Martin Raepple, SAP AG
4153 Nick Ragouzis, Enosis Group LLC
4154 Prakash Reddy, CA
4155 Alain Regnier, Ricoh Company, Ltd.
4156 Irving Reid, Hewlett-Packard
4157 Bruce Rich, IBM
4158 Tom Rutt, Fujitsu Limited
4159 Maneesh Sahu, Actional Corporation
4160 Frank Siebenlist, Argonne National Laboratory
4161 Joe Smith, Apani Networks
4162 Davanum Srinivas, WSO2
4163 Yakov Sverdlov, CA
4164 Gene Thurston, AmberPoint
4165 Victor Valle, IBM
4166 Asir Vedamuthu, Microsoft Corporation
4167 Greg Whitehead, Hewlett-Packard
4168 Ron Williams, IBM
4169 Corinna Witt, BEA Systems, Inc.
4170 Kyle Young, Microsoft Corporation