Data Service Configuration for using STS
In the Talend Runtime Container, the configuration used by Data Service Consumers for using Security Token Service (STS) can be defined in the file: <TalendRuntimePath>/container/etc/org.talend.esb.job.client.sts.cfg.
#STS endpoint configuration
sts.wsdl.location = \
http://localhost:8040/services/SecurityTokenService/UT?wsdl
sts.namespace = http://docs.oasis-open.org/ws-sx/ws-trust/200512/
sts.service.name = SecurityTokenService
sts.endpoint.name = UT_Port
#STS properties configuration
security.sts.token.username = myclientkey
security.sts.token.usecert = true
ws-security.is-bsp-compliant = false
security.sts.token.properties = \
file:${tesb.home}/etc/keystores/clientKeystore.properties
The STS endpoint used by the consumer is defined by sts.wsdl.location. This configuration should be changed in case the STS service is running on a different host and port. The keystore configuration described above is used for signing the timestamp sent in the request by the consumer to the provider. The Talend ESB-supplied sample keystores and certificates above are not meant for production use. Be sure to use your own keys (with different passwords) and configure them as discussed below.
A Data Service consumer can use two types of authentication mechanisms: Username token and SAML token.
- When using Username token, the consumer sends the credentials as a part of the request to the provider and authentication is performed on the provider side. The policy used by the consumer for Username token authentication is defined in the file <TalendRuntimePath>/etc/org.talend.esb.job.token.policy.
- For SAML token, the consumer makes a SAML token issue request to the STS passing its credentials and on successful authentication the STS issues a SAML token. This SAML token is sent as a part of the request to the provider and the provider verifies the validity of the SAML token. The policy used by the consumer for SAML token authentication is defined in the file <TalendRuntimePath>/etc/org.talend.esb.job.saml.policy.
When using Username token, a Data Service provider receives credentials from the consumer and performs authentication locally. By default a Data Service provider is configured with JAAS authentication handler and uses the default JAAS context karaf configured for the Talend Runtime Container. The login module configured for this context uses the file located in /etc/users.properties, which contains a list of users and their password. Thus, the user which needs to be authenticated should be listed here.
In the case of a SAML token, the provider locally verifies the integrity of the token using a certificate, the configuration for it is defined in the file <TalendRuntimePath>/etc/org.talend.esb.job.service.cfg.
security.signature.properties = \
file:${tesb.home}/etc/keystores/serviceKeystore.properties
security.signature.username = myservicekey
security.signature.password = skpass