Enable WS-Security for SOAP backends
In a REST to SOAP scenario where the backend demands the SOAP message to be signed using a certificate, it would be great if there were policies that could generate the whole message based on the contents of the body. Right now one can build the SOAP XML message using a liquid template but then the task of generating the security headers is hard (and I really don't know how to generate them). For example:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://webservices.myweb.com">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
......<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-123456">generatedtoken/wsse:BinarySecurityToken
<ds:Signature Id="SIG-65D54B60823432DD6615040826919135" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="soapenv web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>/ds:CanonicalizationMethod
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>/ds:Transform/ds:Transforms
<ds:KeyInfo Id="KI-123456"><wsse:SecurityTokenReference wsu:Id="STR-65D54B60823432DD6615040826918923"><wsse:Reference URI="#X509-123456" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>/wsse:SecurityTokenReference/ds:KeyInfo
<soapenv:Body wsu:Id="id-12345" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
The certificate should be one of the available in my APIM instance.
Hi Carlos – thanks for your feedback. We need more feedback from users on this feature due to the many complexities of how WS-security is implemented. Would what Carlos describes be helpful for you? Is this preferable to a mutual TLS connection secure the communication?
We need this as well, please add!
Akshay Goel commented
It's been very difficult to deal with SOAP services while working over Azure APIM. I hope to see this functionality soon so that I can recommend to switch over Azure.
Ryan McNeilly commented
In healthcare we are still very SOAP heavy and WS-security is part of that mix. Healthcare seems to lag 10-20 years behind so this will be around for a very long time. Would like to see WS-security policy handling added to APIM.
Integrating with 3rd parties that STILL require WS Security is not possible with native Azure API Management policies. A secure Azure based solution that works with APIM boundaries requires a complex mix of function apps, app service environments, storage accounts to hold custom dlls, keyvaults, and private VNET integrations. Also ironic, Microsoft developed the WS-SEC protocol!
One more waiting for this feature here...
Several enterprise level SOAP backends use WS-Security with certificate signatures. We are not always able to change those, and such this would be needed if we want to consume those services in API management.
Currently, the best option seems to be a passthrough, but that again limits us to use the full .NET Framework as .Net Core doesn't support this either.
Hi Team, Even We were expecting this functionality to be available
when can this be implemented? Waiting for it.