SAML Web SSO 2.0 Authentication (samlWebSso20)
Controls the operation of the Security Assertion Markup Language Web SSO 2.0 Mechanism.
Name | Type | Default | Description |
---|---|---|---|
allowCreate | boolean | Allow the IdP to create a new account if the requesting user does not have one. | |
allowCustomCacheKey | boolean | true | Allow generating a custom cache key to access the authentication cache and get the subject. |
audiences | string | ANY | The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted. |
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
authnContextClassRef | string | A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null. | |
authnContextComparisonType |
| exact | When an authnContextClassRef is specified, the authnContextComparisonType can be set. |
authnRequestTime | A period of time with millisecond precision | 10m | Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
authnRequestsSigned | boolean | true | Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed. |
clockSkew | A period of time with millisecond precision | 5m | This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
createSession | boolean | true | Specifies whether to create an HttpSession if the current HttpSession does not exist. |
customizeNameIDFormat | string | Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification. | |
disableLtpaCookie | boolean | true | Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead. |
enabled | boolean | true | The service provider is enabled if true and disabled if false. |
errorPageURL | string | Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO. | |
forceAuthn | boolean | false | Indicates whether the IdP should force the user to re-authenticate. |
groupIdentifier | string | Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value. | |
headerName | string | Saml | The header name of the HTTP request which stores the SAML Token. |
httpsRequired | boolean | true | Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata. |
id | string | A unique configuration ID. | |
idpMetadata | string | ${server.config.dir}/resources/security/idpMetadata.xml | Specifies the IdP metadata file. |
inboundPropagation |
| none | Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms. |
includeTokenInSubject | boolean | true | Specifies whether to include a SAML assertion in the subject. |
includeX509InSPMetadata | boolean | true | Specifies whether to include the x509 certificate in the Liberty SP metadata. |
isPassive | boolean | false | Indicates IdP must not take control of the end user interface. |
keyAlias | string | Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'. | |
keyStoreRef | A reference to top level keyStore element (string). | A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default. | |
loginPageURL | string | Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO. | |
mapToUserRegistry |
| No | Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject. |
nameIDFormat |
| Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification. | |
postLogoutRedirectUrl | string (with whitespace trimmed off) | The client is redirected to this optional URL after the client invokes the SAML logout endpoint and the logout completes | |
reAuthnCushion | A period of time with millisecond precision | 0m | The time period to authenticate again when a SAML Assertion is about to expire, which is indicated by either the statement NotOnOrAfter or the attribute SessionNotOnOrAfter of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
reAuthnOnAssertionExpire | boolean | false | Authenticate the incoming HTTP request again when a SAML Assertion is about to expire. |
realmIdentifier | string | Specifies a SAML attribute that is used as the realm name. If no value is specified, the Issuer SAML assertion element value is used. | |
realmName | string | Specifies a realm name when mapToUserRegistry is set to No or Group. | |
sessionNotOnOrAfter | A period of time with millisecond precision | 120m | Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. This property is only used if disableLtpaCookie=true. The default value is true. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
signatureMethodAlgorithm |
| SHA256 | Indicates the required algorithm by this service provider. |
spCookieName | string | Specifies a cookie name for the SAML service provider. The service provider will provide one by default. | |
spHostAndPort | string | Specifies the hostname and port number by which the IdP addresses this SAML service provider. Use this attribute if the browser needs to be redirected to a router or proxy server instead of directly connecting to the service provider. The format for the value for this attribute is (scheme)://(proxyOrRouterHost):(proxyOrRouterPort). For example, https://myRouter.com:443. | |
spLogout | boolean | false | Perform a SAML logout when you invoke the HttpServletRequest.logout method or the ibm_security_logout URL. |
targetPageUrl | string | The default landing page for the IdP-initiated SSO if the relayState is missing. This property must be set to a valid URL if useRelayStateForTarget is set to false. | |
tokenReplayTimeout | A period of time with millisecond precision | 30m | This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
useRelayStateForTarget | boolean | true | When doing IdP-initiated SSO, this property specifies if the relayState in a SAMLResponse should be used as the target URL. If set to false, the value for targetPageUrl is always used as the target URL. |
userIdentifier | string | Specifies a SAML attribute that is used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used. | |
userUniqueIdentifier | string | Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value. | |
wantAssertionsSigned | boolean | true | Indicates a requirement for the <saml:Assertion> elements received by this service provider to contain a Signature element that signs the Assertion. |
authFilter
Specifies the authentication filter reference.
authFilter > cookie
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authFilter > host
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
authFilter > remoteAddress
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
ip | string | Specifies the remote host TCP/IP address. | |
matchType |
| contains | Specifies the match type. |
authFilter > requestHeader
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. | |
value | string | The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains". |
authFilter > requestUrl
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
urlPattern | string | Specifies the URL pattern. The * character is not supported to be used as a wildcard. |
authFilter > userAgent
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
agent | string | Specifies the browser's user agent to help identify which browser is being used. | |
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
authFilter > webApp
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
matchType |
| contains | Specifies the match type. |
name | string | Specifies the name. |
pkixTrustEngine
Specifies the PKIX trust information that is used to evaluate the trustworthiness and validity of XML signatures in a SAML response. Do not specify multiple pkixTrustEngine in a samlWebSso20.
Name | Type | Default | Description |
---|---|---|---|
trustAnchorRef | A reference to top level keyStore element (string). | A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion. | |
trustedIssuers | string | Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted. |
pkixTrustEngine > crl
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
path | string | Specifies the path to the crl. |
pkixTrustEngine > x509Certificate
A unique configuration ID.
Name | Type | Default | Description |
---|---|---|---|
id | string | A unique configuration ID. | |
path | string | Specifies the path to the x509 certificate. |