In the Talend Runtime Container, the configuration used by Data Service Consumers for using Security Token Service (STS) can be defined in the file: <TalendRuntimePath>/container/etc/org.talend.esb.job.client.sts.cfg.
#STS endpoint configuration
sts.wsdl.location = \
http://localhost:8040/services/SecurityTokenService/UT?wsdl
sts.namespace = http://docs.oasis-open.org/ws-sx/ws-trust/200512/
sts.service.name = SecurityTokenService
sts.endpoint.name = UT_Port
#STS properties configuration
security.sts.token.username = myclientkey
security.sts.token.usecert = true
ws-security.is-bsp-compliant = false
security.sts.token.properties = \
file:${tesb.home}/etc/keystores/clientKeystore.properties
The STS endpoint used by the consumer is defined by sts.wsdl.location
.
This configuration should be changed in case the STS service is running on a different
host and port. The keystore configuration described above is used for signing the
timestamp sent in the request by the consumer to the provider. The Talend ESB-supplied sample keystores and
certificates above are not meant for production use. Be sure to use your own keys (with
different passwords) and configure them as discussed below.
A Data Service consumer can use two types of authentication mechanisms: Username token and SAML token.
- When using Username token, the consumer sends the credentials as a part of the request to the provider and authentication is performed on the provider side. The policy used by the consumer for Username token authentication is defined in the file <TalendRuntimePath>/etc/org.talend.esb.job.token.policy.
- For SAML token, the consumer makes a SAML token issue request to the STS passing its credentials and on successful authentication the STS issues a SAML token. This SAML token is sent as a part of the request to the provider and the provider verifies the validity of the SAML token. The policy used by the consumer for SAML token authentication is defined in the file <TalendRuntimePath>/etc/org.talend.esb.job.saml.policy.
When using Username token, a Data Service provider
receives credentials from the consumer and performs authentication locally. By default a
Data Service provider is configured with JAAS authentication handler and uses the
default JAAS context karaf
configured for the Talend Runtime Container. The login module configured for this
context uses the file located in /etc/users.properties, which
contains a list of users and their password. Thus, the user which needs to be
authenticated should be listed here.
In the case of a SAML token, the provider locally verifies the integrity of the token using a certificate, the configuration for it is defined in the file <TalendRuntimePath>/etc/org.talend.esb.job.service.cfg.
security.signature.properties = \
file:${tesb.home}/etc/keystores/serviceKeystore.properties
security.signature.username = myservicekey
security.signature.password = skpass