How can we improve Azure API Management?

← API Management

Enable WS-Security for SOAP backends

In a REST to SOAP scenario where the backend demands the SOAP message to be signed using a certificate, it would be great if there were policies that could generate the whole message based on the contents of the body. Right now one can build the SOAP XML message using a liquid template but then the task of generating the security headers is hard (and I really don't know how to generate them). For example:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:web="http://webservices.myweb.com">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
......<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot; wsu:Id="X509-123456">generated_token</wsse:BinarySecurityToken>

  &lt;ds:Signature Id=&quot;SIG-65D54B60823432DD6615040826919135&quot; xmlns:ds=&quot;<a rel="nofollow noreferrer" href="http://www.w3.org/2000/09/xmldsig#&quot;">http://www.w3.org/2000/09/xmldsig#&quot;</a>&gt;

  &lt;ds:SignedInfo&gt;&lt;ds:CanonicalizationMethod Algorithm=&quot;<a rel="nofollow noreferrer" href="http://www.w3.org/2001/10/xml-exc-c14n#&quot;">http://www.w3.org/2001/10/xml-exc-c14n#&quot;</a>&gt;&lt;ec:InclusiveNamespaces PrefixList=&quot;soapenv web&quot; xmlns:ec=&quot;<a rel="nofollow noreferrer" href="http://www.w3.org/2001/10/xml-exc-c14n#&quot;/">http://www.w3.org/2001/10/xml-exc-c14n#&quot;/</a>&gt;&lt;/ds:CanonicalizationMethod&gt;

  &lt;ds:SignatureMethod Algorithm=&quot;<a rel="nofollow noreferrer" href="http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/">http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/</a>&gt;

  &lt;ds:Reference URI=&quot;#id-12345&quot;&gt;

  &lt;ds:Transforms&gt;&lt;ds:Transform Algorithm=&quot;<a rel="nofollow noreferrer" href="http://www.w3.org/2001/10/xml-exc-c14n#&quot;">http://www.w3.org/2001/10/xml-exc-c14n#&quot;</a>&gt;&lt;ec:InclusiveNamespaces PrefixList=&quot;web&quot; xmlns:ec=&quot;<a rel="nofollow noreferrer" href="http://www.w3.org/2001/10/xml-exc-c14n#&quot;/">http://www.w3.org/2001/10/xml-exc-c14n#&quot;/</a>&gt;&lt;/ds:Transform&gt;&lt;/ds:Transforms&gt;

  &lt;ds:DigestMethod Algorithm=&quot;<a rel="nofollow noreferrer" href="http://www.w3.org/2000/09/xmldsig#sha1&quot;/">http://www.w3.org/2000/09/xmldsig#sha1&quot;/</a>&gt;&lt;ds:DigestValue&gt;digest_value&lt;/ds:DigestValue&gt;

  &lt;/ds:Reference&gt;&lt;/ds:SignedInfo&gt;

  &lt;ds:SignatureValue&gt;my_signature&lt;/ds:SignatureValue&gt;

  &lt;ds:KeyInfo Id=&quot;KI-123456&quot;&gt;&lt;wsse:SecurityTokenReference wsu:Id=&quot;STR-65D54B60823432DD6615040826918923&quot;&gt;&lt;wsse:Reference URI=&quot;#X509-123456&quot; ValueType=&quot;<a rel="nofollow noreferrer" href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot;/">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot;/</a>&gt;&lt;/wsse:SecurityTokenReference&gt;&lt;/ds:KeyInfo&gt;

  &lt;/ds:Signature&gt;

  &lt;/wsse:Security&gt;&lt;/soapenv:Header&gt;

<soapenv:Body wsu:Id="id-12345" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

  &lt;web:myMessage&gt;...&lt;/web:myMessage&gt;

&lt;/soapenv:Body&gt;

</soapenv:Envelope>

The certificate should be one of the available in my APIM instance.

Thanks.

87 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Carlos shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
need-feedback  ·  AdminAzure API Management Team (Admin, Microsoft Azure) responded  · 

Hi Carlos – thanks for your feedback. We need more feedback from users on this feature due to the many complexities of how WS-security is implemented. Would what Carlos describes be helpful for you? Is this preferable to a mutual TLS connection secure the communication?

6 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Ryan McNeilly commented  ·   ·  Flag as inappropriate

    In healthcare we are still very SOAP heavy and WS-security is part of that mix. Healthcare seems to lag 10-20 years behind so this will be around for a very long time. Would like to see WS-security policy handling added to APIM.

  • Chad commented  ·   ·  Flag as inappropriate

    Integrating with 3rd parties that STILL require WS Security is not possible with native Azure API Management policies. A secure Azure based solution that works with APIM boundaries requires a complex mix of function apps, app service environments, storage accounts to hold custom dlls, keyvaults, and private VNET integrations. Also ironic, Microsoft developed the WS-SEC protocol!

  • Anonymous commented  ·   ·  Flag as inappropriate

    Several enterprise level SOAP backends use WS-Security with certificate signatures. We are not always able to change those, and such this would be needed if we want to consume those services in API management.

    Currently, the best option seems to be a passthrough, but that again limits us to use the full .NET Framework as .Net Core doesn't support this either.

API Management: Policies

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice