(Non-SOAP) Check Results from XML Verification Assertion
The (Non-SOAP) Check Results from XML Verification assertion ("Check" assertion) provides a quick way to check the contents of the context variables produced by the (Non-SOAP) Verify XML Element Assertion.
gateway90
The (Non-SOAP) Check Results from XML Verification assertion ("Check" assertion) provides a quick way to check the contents of the context variables produced by the (Non-SOAP) Verify XML Element Assertion.
The following is a more in depth description of what happens when you use the "Check" assertion:
- First, you select the signed element(s) to verify.
- Next, you select the signature methods and digest methods that you are permitting. Optionally indicate whether to gather the signing certificates as credentials.
- The "Check" assertion then checks the <prefix>.elementsVerified variable for the signed elements and notes the index position of any matches. (This is similar to using the Look Up Item by Value assertion on the <prefix>.elementsVerified variable.)
- If a match is found, the assertion then checks whether the corresponding index position in the <prefix>.signatureMethodUris variable matches any of the "Permitted signature methods". (This is similar to using the Look Up Item by Index Position assertion on the <prefix>.signatureMethodUris variable, followed by an At Least One Assertion Must Evaluate to True assertion containing one or more Compare Expression assertion to check the value.)
- If a match is found, the same thing is repeated on the corresponding index position in the <prefix>.digestMethodUris variable to see if it matches any of the "Permitted digest methods". (This is similar to using the Look Up Item by Index Position assertion on the <prefix>.digestMethodUris variable, followed by an At Least One Assertion Must Evaluate to True assertion containing one or more Compare Expression assertion to check the value.)
- If a match is found and you are gathering signing certificates, the assertion retrieves the certificate from the corresponding index position in the <prefix>.signingCertificates variable and gathers it as X.509 credentials.
This assertion will succeed only when all elements in the target message that match the XPath are present in the specified verify results and were signed using one of the specified signature and digest methods.
To learn about selecting the target message for this assertion, see Select a Target Message.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Add an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- Right-click<target>:(Non-SOAP) Check Results from XML Verification[XPath] in the policy window and select(Non-SOAP) XML Verification Propertiesor double-click the assertion in the policy window. The assertion properties are displayed.
- Click [Edit XPath] to specify the signed element(s) to verify. For more information, see Select an XPath.
- Enter the context variable prefix that was used in the (Non-SOAP) Verify XML Element assertion. If no prefix was used, leave the field blank.
- Select theGather signer certificate(s) as credentialscheck box if you want to use the signing certificate as an X.509 credential for later authorization with a specific User or Member of Group assertion. See Retrieve Credentials from Context Variable Assertion.
- Click [OK].