vCenter Single Sign-On
Security Policies
Web service security policies define the
requirements for secure communication between a Web service and a client.
vCenter Single Sign-On security policies are based on the WS-Policy framework
and WS-SecurityPolicy specifications. A policy identifies specific elements for
token requests. Based on the policy requirements, a vCenter Single Sign-On
client will insert data into the SOAP security header for the token request.
vCenter Single Sign-On defines security policies
for end user access, solution access, and for token exchange. The policies
stipulate the following elements:
- Security certificates (x509V3, x509PKIPathV1, x509PKCS7, or WssSamlV20Token11)
- Message timestamps
- Security binding (transport)
- Encryption algorithm (Basic256Sha256)
vCenter Single Sign-On security policies specify
that the body of the SOAP message for a holder-of-key token must be signed.
Bearer tokens require only the username and timestamp tokens.
The vCenter Single Sign-On server
issues SAML tokens to represent client authentication. The standards
documentation also uses the term “token” to refer to claims and certificate
data that is inserted into SOAP security headers.
The following table shows the vCenter Single
Sign-On policies and identifies the requirements for each policy. The vCenter
Single Sign-On WSDL defines these policies for use with the vCenter Single
Sign-On methods.
Policy
| Description
|
---|---|
STSSecPolicy
| Defines the transport
policy and algorithm suite for all communication with the vCenter Single
Sign-On server:
|
IssueRequestPolicy
| Defines the security
policy for Issue token requests. IssueRequestPolicy specifies either username
token (signed), username token (plaintext password), X509 certificate, or
holder-of-key token authentication. You specify username/password or X509
certificate credentials to obtain a vCenter Single Sign-On token. If you obtain
a holder-of-key token, you can use that token for subsequent Issue requests.
Username token (signed) authentication:
Username token (plaintext password)
authentication:
X509 certificate authentication:
Holder-of-Key token authentication:
|
RenewRequestPolicy
| Defines the security
policy for Renew token requests. The request must contain one of the following
endorsing supporting tokens. The SOAP message body must be included in the
signature generated with the token.
|
vCenter Single Sign-On
SDK Support for vCenter Single Sign-On Security Policies
The vCenter Single Sign-On SDK provides Java
utilities that support the vCenter Single Sign-On security policies. Your
vCenter Single Sign-On client can use these utilities to create digital
signatures and supporting tokens, and insert them into SOAP headers as required
by the policies. The SOAP header utilities are defined in files that are
located in the samples directory:
SDK\sso\java\JAXWS\samples\com\vmware\sso\client\soaphandlers