SAML Web SSO 2.0 Authentication (samlWebSso20)

Controls the operation of the Security Assertion Markup Language Web SSO 2.0 Mechanism.

NameTypeDefaultDescription

allowCreate

boolean

Allow the IdP to create a new account if the requesting user does not have one.

allowCustomCacheKey

boolean

true

Allow generating a custom cache key to access the authentication cache and get the subject.

audiences

string

ANY

The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.

authFilterRef

A reference to top level authFilter element (string).

Specifies the authentication filter reference.

authnContextClassRef

string

A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.

authnContextComparisonType

  • better

  • exact

  • maximum

  • minimum

exact

When an authnContextClassRef is specified, the authnContextComparisonType can be set.
better
Better. The authentication context in the authentication statement must be stronger than any one of the authentication contexts specified.
exact
Exact. The authentication context in the authentication statement must be an exact match of at least one of the authentication contexts specified.
maximum
Maximum. The authentication context in the authentication statement must be as strong as possibe without exceeding the strength of at least one of the authentication contexts specified.
minimum
Minimum. The authentication context in the authentication statement must be at least as strong as one of the authentication contexts specified.

authnRequestTime

A period of time with millisecond precision

10m

Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

authnRequestsSigned

boolean

true

Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed.

clockSkew

A period of time with millisecond precision

5m

This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

createSession

boolean

true

Specifies whether to create an HttpSession if the current HttpSession does not exist.

customizeNameIDFormat

string

Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification.

disableInitialRequestCookie

boolean

false

When too many authentication requests are created by Service Provider and redirected to IdP due to the application SSO setup, set this attribute to true to prevent creation of the initial request cookie. The default is false.

disableLtpaCookie

boolean

true

Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead.

enabled

boolean

true

The service provider is enabled if true and disabled if false.

errorPageURL

string

Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO.

forceAuthn

boolean

false

Indicates whether the IdP should force the user to re-authenticate.

groupIdentifier

string

Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.

headerName

string

Saml

The header name of the HTTP request which stores the SAML Token.

httpsRequired

boolean

true

Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata.

id

string

A unique configuration ID.

idpMetadata

string

${server.config.dir}/resources/security/idpMetadata.xml

Specifies the IdP metadata file.

inboundPropagation

  • none

  • required

none

Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms.
none
%inboundPropagation.none
required
%inboundPropagation.required

includeTokenInSubject

boolean

true

Specifies whether to include a SAML assertion in the subject.

includeX509InSPMetadata

boolean

true

Specifies whether to include the x509 certificate in the Liberty SP metadata.

isPassive

boolean

false

Indicates IdP must not take control of the end user interface.

keyAlias

string

Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'.

keyStoreRef

A reference to top level keyStore element (string).

A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default.

loginPageURL

string

Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO.

mapToUserRegistry

  • Group

  • No

  • User

No

Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
Group
Map a SAML identity to a group defined in the user registry
No
Do not map a SAML identity to a user or group in the registry
User
Map a SAML identity to a user defined in the registry

nameIDFormat

  • customize

  • email

  • encrypted

  • entity

  • kerberos

  • persistent

  • transient

  • unspecified

  • windowsDomainQualifiedName

  • x509SubjectName

email

Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification.
customize
Customized Name ID Format.
email
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
encrypted
urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
entity
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
transient
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
windowsDomainQualifiedName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
x509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

postLogoutRedirectUrl

string (with whitespace trimmed off)

The client is redirected to this optional URL after the client invokes the SAML logout endpoint and the logout completes

reAuthnCushion

A period of time with millisecond precision

0m

The time period to authenticate again when a SAML Assertion is about to expire, which is indicated by either the statement NotOnOrAfter or the attribute SessionNotOnOrAfter of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

reAuthnOnAssertionExpire

boolean

false

Authenticate the incoming HTTP request again when a SAML Assertion is about to expire.

realmIdentifier

string

Specifies a SAML attribute that is used as the realm name. If no value is specified, the Issuer SAML assertion element value is used.

realmName

string

Specifies a realm name when mapToUserRegistry is set to No or Group.

sessionNotOnOrAfter

A period of time with millisecond precision

120m

Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. This property is only used if disableLtpaCookie=true. The default value is true. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

signatureMethodAlgorithm

  • SHA1

  • SHA128

  • SHA256

SHA256

Indicates the required algorithm by this service provider.
SHA1
SHA-1 signature algorithm
SHA128
%signatureMethodAlgorithm.SHA128
SHA256
SHA-256 signature algorithm

spCookieName

string

Specifies a cookie name for the SAML service provider. The service provider will provide one by default.

spHostAndPort

string

Specifies the hostname and port number by which the IdP addresses this SAML service provider. Use this attribute if the browser needs to be redirected to a router or proxy server instead of directly connecting to the service provider. The format for the value for this attribute is (scheme)://(proxyOrRouterHost):(proxyOrRouterPort). For example, https://myRouter.com:443.

spLogout

boolean

false

Perform a SAML logout when you invoke the HttpServletRequest.logout method or the ibm_security_logout URL.

targetPageUrl

string

The default landing page for the IdP-initiated SSO if the relayState is missing. This property must be set to a valid URL if useRelayStateForTarget is set to false.

tokenReplayTimeout

A period of time with millisecond precision

30m

This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

useRelayStateForTarget

boolean

true

When doing IdP-initiated SSO, this property specifies if the relayState in a SAMLResponse should be used as the target URL. If set to false, the value for targetPageUrl is always used as the target URL.

userIdentifier

string

Specifies a SAML attribute that is used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used.

userUniqueIdentifier

string

Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.

wantAssertionsSigned

boolean

true

Indicates a requirement for the <saml:Assertion> elements received by this service provider to contain a Signature element that signs the Assertion.

authFilter

Specifies the authentication filter reference.

authFilter > cookie

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > host

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > remoteAddress

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

ip

string

Specifies the remote host TCP/IP address.

matchType

  • contains

  • equals

  • greaterThan

  • lessThan

  • notContain

contains

Specifies the match type.

authFilter > requestHeader

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

value

string

The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

urlPattern

string
Required

Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent

A unique configuration ID.

NameTypeDefaultDescription

agent

string
Required

Specifies the browser's user agent to help identify which browser is being used.

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

authFilter > webApp

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

matchType

  • contains

  • equals

  • notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

pkixTrustEngine

Specifies the PKIX trust information that is used to evaluate the trustworthiness and validity of XML signatures in a SAML response. Do not specify multiple pkixTrustEngine in a samlWebSso20.

NameTypeDefaultDescription

trustAnchorRef

A reference to top level keyStore element (string).

A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion.

trustedIssuers

string

Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted.

pkixTrustEngine > crl

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

path

string
Required

Specifies the path to the crl.

pkixTrustEngine > x509Certificate

A unique configuration ID.

NameTypeDefaultDescription

id

string

A unique configuration ID.

path

string
Required

Specifies the path to the x509 certificate.