Cancel Security Context Assertion
The Cancel Security Context assertion is used to cancel a secure conversation session (either inbound or outbound) that is no longer in use.
gateway90
The Cancel Security Context assertion is used to cancel a secure conversation session (either inbound or outbound) that is no longer in use.
To learn about selecting the target message for this assertion, see Select a Target Message. The target message should be an RST SOAP message with the CanceledTarget information.
2
Canceling Inbound Session
Inbound sessions have a Security Context Token (SCT) created by the Create Security Context Token Assertion. Once canceled, this token is no longer valid for authentication and authorization purposes. The secure conversation session mapped by the identifier defined in the SCT will be destroyed.
After the token is canceled, the Build RSTR SOAP Response Assertion will create a response message containing a <wst:RequestedTokenCanceled/>, similar to the following:
<wst:RequestSecurityTokenResponse> <wst:RequestedTokenCanceled/> </wst:RequestSecurityTokenResponse>
Canceling Outbound Session
Outbound sessions are established using the Establish Outbound Secure Conversation assertion. You simply need to specify the URL of the session being canceled.
Canceling an outbound session will also cancel the inbound session, if both sessions are the same. However if the inbound session is not available (for example, it has already been canceled), this assertion will not fail.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Add an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- Right-click <target>:Cancel Security Context to <service URL>in the policy window and selectSecurity Context Cancellation Propertiesor double-click the assertion in the policy window. The assertion properties are displayed.
- Configure the properties as follows.SettingDescriptionInbound Secure Conversation SessionSelect this option to cancel an inbound secure conversation session.Permit cancellationIf canceling an inbound session, choose when cancellation is possible:
- always: There is no permission check—the token can always be canceled. When this option is selected, this assertion does not require an authenticated user.
- when the token is owned by an authenticated user: Only the authenticated user has the right to cancel the token.
- when the token was used to authenticate: Cancellation is possible only if the security token was used to authenticate the session. This setting is the default.
Outbound Secure Conversation SessionSelect this option to cancel an outbound secure conversation session. Note that the inbound session will also be canceled if both sessions are the same session.Service URLEnter the URL of the service that created the security token.Fail if the context is not found or has expiredSelect this check box to indicate that the assertion will fail if the secure conversation session does not exist or has expired.Clear this check box to allow the assertion to succeed even if the context is not found or is expired. - Click [OK] when done.