samlWebSso20 - SAML Web SSO 2.0 Authentication (samlWebSso20)

Controls the operation of the Security Assertion Markup Language Web SSO 2.0 Mechanism.

NameTypeDefaultDescription
idstringA unique configuration ID.
httpsRequiredbooleantrueEnforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata.
inboundPropagation
  • none
  • required
noneControls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms.
none
%inboundPropagation.none
required
%inboundPropagation.required
wantAssertionsSignedbooleantrueIndicates a requirement for the <saml:Assertion> elements received by this service provider to contain a Signature element that signs the Assertion.
signatureMethodAlgorithm
  • SHA256
  • SHA128
  • SHA1
SHA256Indicates the required algorithm by this service provider.
SHA256
SHA-256 signature algorithm
SHA128
%signatureMethodAlgorithm.SHA128
SHA1
SHA-1 signature algorithm
createSessionbooleantrueSpecifies whether to create an HttpSession if the current HttpSession does not exist.
authnRequestsSignedbooleantrueIndicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed.
includeX509InSPMetadatabooleantrueSpecifies whether to include the x509 certificate in the Liberty SP metadata.
forceAuthnbooleanfalseIndicates whether the IdP should force the user to re-authenticate.
isPassivebooleanfalseIndicates IdP must not take control of the end user interface.
allowCreatebooleanAllow the IdP to create a new account if the requesting user does not have one.
authnContextComparisonType
  • minimum
  • better
  • maximum
  • exact
exactWhen an authnContextClassRef is specified, the authnContextComparisonType can be set.
minimum
Minimum. The authentication context in the authentication statement must be at least as strong as one of the authentication contexts specified.
better
Better. The authentication context in the authentication statement must be stronger than any one of the authentication contexts specified.
maximum
Maximum. The authentication context in the authentication statement must be as strong as possibe without exceeding the strength of at least one of the authentication contexts specified.
exact
Exact. The authentication context in the authentication statement must be an exact match of at least one of the authentication contexts specified.
nameIDFormat
  • encrypted
  • customize
  • persistent
  • x509SubjectName
  • email
  • transient
  • entity
  • unspecified
  • kerberos
  • windowsDomainQualifiedName
emailSpecifies the URI reference corresponding to a name identifier format defined in the SAML core specification.
encrypted
urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
customize
Customized Name ID Format.
persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
x509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
email
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
transient
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
entity
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
windowsDomainQualifiedName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
customizeNameIDFormatstringSpecifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification.
idpMetadatastring${server.config.dir}/resources/security/idpMetadata.xmlSpecifies the IdP metadata file.
keyStoreRefA reference to top level keyStore element (string).A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default.
keyAliasstringKey alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'.
loginPageURLstringSpecifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO.
errorPageURLstringSpecifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO.
clockSkewA period of time with millisecond precision5mThis is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
tokenReplayTimeoutA period of time with millisecond precision30mThis property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
sessionNotOnOrAfterA period of time with millisecond precision120mIndicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
userIdentifierstringSpecifies a SAML attribute that is used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used.
groupIdentifierstringSpecifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.
userUniqueIdentifierstringSpecifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.
realmIdentifierstringSpecifies a SAML attribute that is used as the realm name. If no value is specified, the Issuer SAML assertion element value is used.
includeTokenInSubjectbooleantrueSpecifies whether to include a SAML assertion in the subject.
mapToUserRegistry
  • User
  • No
  • Group
NoSpecifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
User
Map a SAML identity to a user defined in the registry
No
Do not map a SAML identity to a user or group in the registry
Group
Map a SAML identity to a group defined in the user registry
authFilterRefA reference to top level authFilter element (string).Specifies the authentication filter reference.
disableLtpaCookiebooleantrueDo not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead.
realmNamestringSpecifies a realm name when mapToUserRegistry is set to No or Group.
authnRequestTimeA period of time with millisecond precision10mSpecifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
enabledbooleantrueThe service provider is enabled if true and disabled if false.
allowCustomCacheKeybooleantrueAllow generating a custom cache key to access the authentication cache and get the subject.
spHostAndPortstringSpecifies a SAML service provider host name and port number.
reAuthnOnAssertionExpirebooleanfalseAuthenticate the incoming HTTP request again when a SAML Assertion is about to expire.
reAuthnCushionA period of time with millisecond precision0mThe time period to authenticate again when a SAML Assertion is about to expire, which is indicated by either the statement NotOnOrAfter or the attribute SessionNotOnOrAfter of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
targetPageUrlstringThe default landing page for the IdP-initiated SSO if the relayState is missing.

authnContextClassRef

A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.

pkixTrustEngine

Specifies the PKIX trust information that is used to evaluate the trustworthiness and validity of XML signatures in a SAML response. Do not specify multiple pkixTrustEngine in a samlWebSso20.

NameTypeDefaultDescription
trustAnchorRefA reference to top level keyStore element (string).A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion.

pkixTrustEngine > trustedIssuers

Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted.

pkixTrustEngine > x509Certificate

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
pathstringSpecifies the path to the x509 certificate.

pkixTrustEngine > crl

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
pathstringSpecifies the path to the crl.

authFilter

Specifies the authentication filter reference.

authFilter > webApp

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringSpecifies the name.
matchType
  • equals
  • contains
  • notContain
containsSpecifies the match type.
equals
Equals
contains
Contains
notContain
Not contain

authFilter > requestUrl

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
urlPatternstringSpecifies the URL pattern.
matchType
  • equals
  • contains
  • notContain
containsSpecifies the match type.
equals
Equals
contains
Contains
notContain
Not contain

authFilter > remoteAddress

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
matchType
  • lessThan
  • equals
  • greaterThan
  • contains
  • notContain
containsSpecifies the match type.
lessThan
Less than
equals
Equals
greaterThan
Greater than
contains
Contains
notContain
Not contain
ipstringSpecifies the IP address.

authFilter > host

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
namestringSpecifies the name.
matchType
  • equals
  • contains
  • notContain
containsSpecifies the match type.
equals
Equals
contains
Contains
notContain
Not contain

authFilter > userAgent

A unique configuration ID.

NameTypeDefaultDescription
idstringA unique configuration ID.
agentstringSpecifies the user agent
matchType
  • equals
  • contains
  • notContain
containsSpecifies the match type.
equals
Equals
contains
Contains
notContain
Not contain

headerName

The header name of the HTTP request which stores the SAML Token.

audiences

The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.