I apologize, the state of the documentation for this particular policy is currently not very good. Not only does it not explain the precedence of various configuration elements, the example configuration is broken and otherwise unhelpful or misleading.
I think you want to create a SAML assertion and inject it into a SOAP message. The GenerateSAMLAssertion policy can do that .
A configuration that I have, which works, is:
<GenerateSAMLAssertion name="SAML-2" ignoreContentType="false">
<!-- set issuer and subject to hard-coded values -->
<Issuer>urn://18CF315A-6A9A-481F-93B8-C1AB988A7D49</Issuer>
<Subject>dinochiesa</Subject>
<!-- specify the digest and signature methods for the assertion -->
<DigestMethod>SHA256</DigestMethod>
<SignatureAlgorithm>rsa-sha256</SignatureAlgorithm>
<!-- the key and cert for signing -->
<KeyStore>
<Name>20191028-rzt9q2ppa6e</Name>
<Alias>key1</Alias> <!-- cert and key -->
</KeyStore>
<!-- where to put the assertion -->
<OutputVariable>
<Message name="request">
<Namespaces>
<Namespace prefix="soap">http://schemas.xmlsoap.org/soap/envelope/</Namespace>
<Namespace prefix="wsse">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
</Namespaces>
<XPath>/soap:Envelope/soap:Header/wsse:Security</XPath>
</Message>
</OutputVariable>
<!-- the shape of the assertion to sign -->
<Template ignoreUnresolvedVariables="false">
<!-- the content of the assertion -->
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="{saml.id}" Version="2.0" IssueInstant="{saml.issueInstant}">
<saml:Issuer>{saml.issuer}</saml:Issuer>
<saml:Subject>
<saml:NameID Format="{saml.subjectFormat}">{saml.subject}</saml:NameID>
</saml:Subject>
<saml:AuthnStatement AuthnInstant="{saml.authnInstant}" SessionIndex="{saml.authnSessionIndex}">
<saml:AuthnContext>
<saml:AuthnContextClassRef>{saml.authnContextClassRef}</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</Template>
</GenerateSAMLAssertion>
Some notes:
- The reason why yours did not work is because you had problems with prefixes in your XPath as well as with namespaces.
- the digest method can be sha1 or sha256
- the signature method can be rsa-sha1 or rsa-sha256
- The keystore obviously should have an RSA key and cert
- Originally, I was not able to get the XPath to work with Namespaces, so I used wildcards in the XPath. Later I figured out the problem: the soap namespace you are using in the sample input message you provided, is non-standard. I copied that message directly, and used it for examples, and as a result my XPath was not matching. When I fixed the Soap namespace in the original document, it worked as expected.
- The XPath MUST resolve to an existing element in the source XML document! The policy will insert the signed Assertion as a child of the configured location. Your sample did not include a wsse:Security element, which means using an XPath that specifies the Security element in the policy configuration would fail. To correct that, I injected an empty soap:Header and wsse:Security element. The resulting sample unsigned SOAP document is below.
- The Template element specifies the shape of the SAML thing you want to sign. You have control over that. If you don't supply a Template then ... Apigee uses a default template for the Assertion which uses the Issuer, Subject, and AuthnStatement.
This sample unsigned SOAP message includes the required empty wsse:Security element, as well as a correct SOAP 1.1 namespace:
<SOAP-ENV:Envelope
xmlns:SOAP-ENV = "http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<SOAP-ENV:Header>
<wsse:Security/>
</SOAP-ENV:Header>
<SOAP-ENV:Body
xmlns:m = "http://www.xyz.org/quotation">
<m:GetQuotationResponse>
<m:Quotation>Here is the quotation</m:Quotation>
</m:GetQuotationResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
LinkedIn
Twitter
