This article describes the necessary configuration steps to allow IBM Integration Bus to accept an SAML token signed by an STR-Transform algorithm.

If you want to create a provider flow (SOAPInput flow) in IBM Integration Bus that can accept SAML tokens signed using an STR-Transform algorithm, you need manual intervention on the policy binding xml files. This is because IBM Integration Bus uses only one transform algorithm to sign message parts, which is an exclusive XML canonicalization algorithm http://www.w3.org/2001/10/xml-exc-c14n.

Here are the steps that you need to follow in order to receive an SAML token signed by an STR-Transform algorithm.

1. Configure the policy set using the policy editor.

First, you need to create a policy set using the policy editor. Then, add a reference to the SAML authentication token and SecurityTokenReference message part in the policy set, as shown below.

  1. In the authentication token panel, add an SAMLv2.0 Passthrough authentication token.
  2. saml authtoken
    Policy editor authentication token panel.
  3. In the Message part protection panel, add a new field named signature_part_request_strd.
  4. STR-Transform messagepart
    Message Part Protection panel
  5. Specify the xpath to the SecurityTokenReference message part under the xpath panel of the policy editor. Add two XPath expressions with values

i) /*[namespace-uri()=’http://www.w3.org/2003/05/soap-envelope’ and local-name()=’Envelope’]/*[namespace-uri()=’http://www.w3.org/2003/05/soap-envelope’ and local-name()=’Header’]/*[namespace-uri()=’http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd’ and local-name()=’Security’]/*[namespace-uri()=’http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd’ and local-name()=’SecurityTokenReference’]

ii) /*[namespace-uri()=’http://schemas.xmlsoap.org/soap/envelope/’ and local-name()=’Envelope’]/*[namespace-uri()=’http://schemas.xmlsoap.org/soap/envelope/’ and local-name()=’Header’]/*[namespace-uri()=’http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd’ and local-name()=’Security’]/*[namespace-uri()=’http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd’ and local-name()=’SecurityTokenReference’]

STR-Transform xpath
Xpath panel of policy editor

2. Configure the policy set binding manually to include the STR-Transform algorithm

Finally, edit the policy binding to include the message part created in the policy set. Here, you need manual editing of the policy binding xml file. You can find the policy binding xml file at the following location;

$MQSI_WORKPATH/registry/<IIBNODE>/CurrentVersion/ExternalResources/PolicySetBindings/UserDefined/<binding_name>/ws-security.dat

  • Open the above file and find the following tag inside its xml content
  •   <securitybinding:securityInboundBindingConfig>

  • Under the above tag, you will find a securitybinding:signingInfo tag.
  • Before closing the tag of </securitybinding:signingInfo>, add the following content;
  •  <securitybinding:signingPartReference reference="request:signature_part_request_strd">
    <securitybinding:transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"/>
    </securitybinding:signingPartReference>


    The above steps will enable your provider policy set and binding to accept SAML tokens signed using the STR-Transform algorithm. Please note that the above steps are meant to add the STR-Transform configurations to an existing policy set and binding file. To create the Policy set and bindings, please refer to the IBM Integration Bus Knowledge Center.
    To learn more about the STR-Transform algorithm feature please refer to the IBM WebSphere Application Server Knowledge Center.

    Join The Discussion

    Your email address will not be published. Required fields are marked *