Controls the operation of the Security Assertion Markup Language Web SSO 2.0 Mechanism.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
httpsRequired | boolean | true | Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata. |
inboundPropagation |
| none | Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms. none %inboundPropagation.none required %inboundPropagation.required |
wantAssertionsSigned | boolean | true | Indicates a requirement for the <saml:Assertion> elements received by this service provider to contain a Signature element that signs the Assertion. |
signatureMethodAlgorithm |
| SHA256 | Indicates the required algorithm by this service provider. SHA256 SHA-256 signature algorithm SHA128 %signatureMethodAlgorithm.SHA128 SHA1 SHA-1 signature algorithm |
createSession | boolean | true | Specifies whether to create an HttpSession if the current HttpSession does not exist. |
authnRequestsSigned | boolean | true | Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed. |
includeX509InSPMetadata | boolean | true | Specifies whether to include the x509 certificate in the Liberty SP metadata. |
forceAuthn | boolean | false | Indicates whether the IdP should force the user to re-authenticate. |
isPassive | boolean | false | Indicates IdP must not take control of the end user interface. |
allowCreate | boolean | Allow the IdP to create a new account if the requesting user does not have one. | |
authnContextComparisonType |
| exact | When an authnContextClassRef is specified, the authnContextComparisonType can be set. minimum Minimum. The authentication context in the authentication statement must be at least as strong as one of the authentication contexts specified. better Better. The authentication context in the authentication statement must be stronger than any one of the authentication contexts specified. maximum Maximum. The authentication context in the authentication statement must be as strong as possibe without exceeding the strength of at least one of the authentication contexts specified. exact Exact. The authentication context in the authentication statement must be an exact match of at least one of the authentication contexts specified. |
nameIDFormat |
| Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification. encrypted urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted customize Customized Name ID Format. persistent urn:oasis:names:tc:SAML:2.0:nameid-format:persistent x509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress transient urn:oasis:names:tc:SAML:2.0:nameid-format:transient entity urn:oasis:names:tc:SAML:2.0:nameid-format:entity unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos windowsDomainQualifiedName urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName | |
customizeNameIDFormat | string | Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification. | |
idpMetadata | string | ${server.config.dir}/resources/security/idpMetadata.xml | Specifies the IdP metadata file. |
keyStoreRef | A reference to top level keyStore element (string). | A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default. | |
keyAlias | string | Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'. | |
loginPageURL | string | Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO. | |
errorPageURL | string | Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO. | |
clockSkew | A period of time with millisecond precision | 5m | This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
tokenReplayTimeout | A period of time with millisecond precision | 30m | This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
sessionNotOnOrAfter | A period of time with millisecond precision | 120m | Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
userIdentifier | string | Specifies a SAML attribute that is used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used. | |
groupIdentifier | string | Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value. | |
userUniqueIdentifier | string | Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value. | |
realmIdentifier | string | Specifies a SAML attribute that is used as the realm name. If no value is specified, the Issuer SAML assertion element value is used. | |
includeTokenInSubject | boolean | true | Specifies whether to include a SAML assertion in the subject. |
mapToUserRegistry |
| No | Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject. User Map a SAML identity to a user defined in the registry No Do not map a SAML identity to a user or group in the registry Group Map a SAML identity to a group defined in the user registry |
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
disableLtpaCookie | boolean | true | Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead. |
realmName | string | Specifies a realm name when mapToUserRegistry is set to No or Group. | |
authnRequestTime | A period of time with millisecond precision | 10m | Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
enabled | boolean | true | The service provider is enabled if true and disabled if false. |
allowCustomCacheKey | boolean | true | Allow generating a custom cache key to access the authentication cache and get the subject. |
spHostAndPort | string | Specifies a SAML service provider host name and port number. | |
reAuthnOnAssertionExpire | boolean | false | Authenticate the incoming HTTP request again when a SAML Assertion is about to expire. |
reAuthnCushion | A period of time with millisecond precision | 0m | The time period to authenticate again when a SAML Assertion is about to expire, which is indicated by either the statement NotOnOrAfter or the attribute SessionNotOnOrAfter of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
targetPageUrl | string | The default landing page for the IdP-initiated SSO if the relayState is missing. |
A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.
Specifies the PKIX trust information that is used to evaluate the trustworthiness and validity of XML signatures in a SAML response. Do not specify multiple pkixTrustEngine in a samlWebSso20.
Name | Type | Default | Description |
---|---|---|---|
trustAnchorRef | A reference to top level keyStore element (string). | A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion. |
pkixTrustEngine > trustedIssuers
Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted.
pkixTrustEngine > x509Certificate
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
path | string | Specifies the path to the x509 certificate. |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
path | string | Specifies the path to the crl. |
Specifies the authentication filter reference.
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Specifies the name. | |
matchType |
| contains | Specifies the match type. equals Equals contains Contains notContain Not contain |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
urlPattern | string | Specifies the URL pattern. | |
matchType |
| contains | Specifies the match type. equals Equals contains Contains notContain Not contain |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. lessThan Less than equals Equals greaterThan Greater than contains Contains notContain Not contain |
ip | string | Specifies the IP address. |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
name | string | Specifies the name. | |
matchType |
| contains | Specifies the match type. equals Equals contains Contains notContain Not contain |
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
agent | string | Specifies the user agent | |
matchType |
| contains | Specifies the match type. equals Equals contains Contains notContain Not contain |
The header name of the HTTP request which stores the SAML Token.
The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.