SAML Web SSO 2.0 Authentication (samlWebSso20)

Controls the operation of the Security Assertion Markup Language Web SSO 2.0 Mechanism.

Name	Type	Default	Description
allowCreate	boolean		Allow the IdP to create a new account if the requesting user does not have one.
allowCustomCacheKey	boolean	true	Allow generating a custom cache key to access the authentication cache and get the subject.
audiences	string	ANY	The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.
authFilterRef	A reference to top level authFilter element (string).		Specifies the authentication filter reference.
authnContextClassRef	string		A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.
authnContextComparisonType	better exact maximum minimum	exact	When an authnContextClassRef is specified, the authnContextComparisonType can be set. better Better. The authentication context in the authentication statement must be stronger than any one of the authentication contexts specified. exact Exact. The authentication context in the authentication statement must be an exact match of at least one of the authentication contexts specified. maximum Maximum. The authentication context in the authentication statement must be as strong as possibe without exceeding the strength of at least one of the authentication contexts specified. minimum Minimum. The authentication context in the authentication statement must be at least as strong as one of the authentication contexts specified.
authnRequestTime	A period of time with millisecond precision	10m	Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
authnRequestsSigned	boolean	true	Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed.
clockSkew	A period of time with millisecond precision	5m	This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
createSession	boolean	true	Specifies whether to create an HttpSession if the current HttpSession does not exist.
customizeNameIDFormat	string		Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification.
disableInitialRequestCookie	boolean	false	When too many authentication requests are created by Service Provider and redirected to IdP due to the application SSO setup, set this attribute to true to prevent creation of the initial request cookie. The default is false.
disableLtpaCookie	boolean	true	Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead.
enabled	boolean	true	The service provider is enabled if true and disabled if false.
errorPageURL	string		Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO.
forceAuthn	boolean	false	Indicates whether the IdP should force the user to re-authenticate.
groupIdentifier	string		Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.
headerName	string	Saml	The header name of the HTTP request which stores the SAML Token.
httpsRequired	boolean	true	Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata.
id	string		A unique configuration ID.
idpMetadata	string	${server.config.dir}/resources/security/idpMetadata.xml	Specifies the IdP metadata file.
inboundPropagation	none required	none	Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms. none %inboundPropagation.none required %inboundPropagation.required
includeTokenInSubject	boolean	true	Specifies whether to include a SAML assertion in the subject.
includeX509InSPMetadata	boolean	true	Specifies whether to include the x509 certificate in the Liberty SP metadata.
isPassive	boolean	false	Indicates IdP must not take control of the end user interface.
keyAlias	string		Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'.
keyStoreRef	A reference to top level keyStore element (string).		A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default.
loginPageURL	string		Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO.
mapToUserRegistry	Group No User	No	Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject. Group Map a SAML identity to a group defined in the user registry No Do not map a SAML identity to a user or group in the registry User Map a SAML identity to a user defined in the registry
nameIDFormat	customize email encrypted entity kerberos persistent transient unspecified windowsDomainQualifiedName x509SubjectName	email	Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification. customize Customized Name ID Format. email urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress encrypted urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted entity urn:oasis:names:tc:SAML:2.0:nameid-format:entity kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos persistent urn:oasis:names:tc:SAML:2.0:nameid-format:persistent transient urn:oasis:names:tc:SAML:2.0:nameid-format:transient unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified windowsDomainQualifiedName urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName x509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
postLogoutRedirectUrl	string (with whitespace trimmed off)		The client is redirected to this optional URL after the client invokes the SAML logout endpoint and the logout completes
reAuthnCushion	A period of time with millisecond precision	0m	The time period to authenticate the user again when the Subject associated with a SAML Assertion is about to expire. This cushion is applied to both the NotOnOrAfter value in the Conditions element and the SessionNotOnOrAfter attribute of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
reAuthnOnAssertionExpire	boolean	false	Authenticate the incoming HTTP request again when the NotOnOrAfter value in the Conditions element of the SAML Assertion is expired.
realmIdentifier	string		Specifies a SAML attribute that is used as the realm name. If no value is specified, the Issuer SAML assertion element value is used.
realmName	string		Specifies a realm name when mapToUserRegistry is set to No or Group.
sessionNotOnOrAfter	A period of time with millisecond precision	120m	Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. This property is only used if disableLtpaCookie=true. The default value is true. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
signatureMethodAlgorithm	SHA1 SHA128 SHA256	SHA256	Indicates the required algorithm by this service provider. SHA1 SHA-1 signature algorithm SHA128 %signatureMethodAlgorithm.SHA128 SHA256 SHA-256 signature algorithm
spCookieName	string		Specifies a cookie name for the SAML service provider. The service provider will provide one by default.
spHostAndPort	string		Specifies the hostname and port number by which the IdP addresses this SAML service provider. Use this attribute if the browser needs to be redirected to a router or proxy server instead of directly connecting to the service provider. The format for the value for this attribute is (scheme)://(proxyOrRouterHost):(proxyOrRouterPort). For example, https://myRouter.com:443.
spLogout	boolean	false	Perform a SAML logout when you invoke the HttpServletRequest.logout method or the ibm_security_logout URL.
targetPageUrl	string		The default landing page for the IdP-initiated SSO if the relayState is missing. This property must be set to a valid URL if useRelayStateForTarget is set to false.
tokenReplayTimeout	A period of time with millisecond precision	30m	This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
useRelayStateForTarget	boolean	true	When doing IdP-initiated SSO, this property specifies if the relayState in a SAMLResponse should be used as the target URL. If set to false, the value for targetPageUrl is always used as the target URL.
userIdentifier	string		Specifies a SAML attribute that is used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used.
userUniqueIdentifier	string		Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.
wantAssertionsSigned	boolean	true	Indicates a requirement for the <saml:Assertion> elements received by this service provider to contain a Signature element that signs the Assertion.

Name

Type

Default

Description

allowCreate

boolean

Allow the IdP to create a new account if the requesting user does not have one.

allowCustomCacheKey

boolean

true

Allow generating a custom cache key to access the authentication cache and get the subject.

audiences

string

ANY

The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.

authFilterRef

A reference to top level authFilter element (string).

Specifies the authentication filter reference.

authnContextClassRef

string

A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.

authnContextComparisonType

better
exact
maximum
minimum

exact

When an authnContextClassRef is specified, the authnContextComparisonType can be set.
better
Better. The authentication context in the authentication statement must be stronger than any one of the authentication contexts specified.
exact
Exact. The authentication context in the authentication statement must be an exact match of at least one of the authentication contexts specified.
maximum
Maximum. The authentication context in the authentication statement must be as strong as possibe without exceeding the strength of at least one of the authentication contexts specified.
minimum
Minimum. The authentication context in the authentication statement must be at least as strong as one of the authentication contexts specified.

authnRequestTime

A period of time with millisecond precision

10m

Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

authnRequestsSigned

boolean

true

Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed.

clockSkew

A period of time with millisecond precision

This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

createSession

boolean

true

Specifies whether to create an HttpSession if the current HttpSession does not exist.

customizeNameIDFormat

string

Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification.

disableInitialRequestCookie

boolean

false

When too many authentication requests are created by Service Provider and redirected to IdP due to the application SSO setup, set this attribute to true to prevent creation of the initial request cookie. The default is false.

disableLtpaCookie

boolean

true

Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead.

enabled

boolean

true

The service provider is enabled if true and disabled if false.

errorPageURL

string

Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO.

forceAuthn

boolean

false

Indicates whether the IdP should force the user to re-authenticate.

groupIdentifier

string

Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.

headerName

string

Saml

The header name of the HTTP request which stores the SAML Token.

httpsRequired

boolean

true

Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata.

string

A unique configuration ID.

idpMetadata

string

${server.config.dir}/resources/security/idpMetadata.xml

Specifies the IdP metadata file.

inboundPropagation

none
required

none

Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms.
none
%inboundPropagation.none
required
%inboundPropagation.required

includeTokenInSubject

boolean

true

Specifies whether to include a SAML assertion in the subject.

includeX509InSPMetadata

boolean

true

Specifies whether to include the x509 certificate in the Liberty SP metadata.

isPassive

boolean

false

Indicates IdP must not take control of the end user interface.

keyAlias

string

Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'.

keyStoreRef

A reference to top level keyStore element (string).

A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default.

loginPageURL

string

Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO.

mapToUserRegistry

Group
No
User

Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
Group
Map a SAML identity to a group defined in the user registry
No
Do not map a SAML identity to a user or group in the registry
User
Map a SAML identity to a user defined in the registry

nameIDFormat

customize
email
encrypted
entity
kerberos
persistent
transient
unspecified
windowsDomainQualifiedName
x509SubjectName

Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification.
customize
Customized Name ID Format.
email
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
encrypted
urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
entity
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
transient
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
windowsDomainQualifiedName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
x509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

postLogoutRedirectUrl

string (with whitespace trimmed off)

The client is redirected to this optional URL after the client invokes the SAML logout endpoint and the logout completes

reAuthnCushion

A period of time with millisecond precision

The time period to authenticate the user again when the Subject associated with a SAML Assertion is about to expire. This cushion is applied to both the NotOnOrAfter value in the Conditions element and the SessionNotOnOrAfter attribute of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

reAuthnOnAssertionExpire

boolean

false

Authenticate the incoming HTTP request again when the NotOnOrAfter value in the Conditions element of the SAML Assertion is expired.

realmIdentifier

string

Specifies a SAML attribute that is used as the realm name. If no value is specified, the Issuer SAML assertion element value is used.

realmName

string

Specifies a realm name when mapToUserRegistry is set to No or Group.

sessionNotOnOrAfter

A period of time with millisecond precision

120m

Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. This property is only used if disableLtpaCookie=true. The default value is true. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

signatureMethodAlgorithm

SHA1
SHA128
SHA256

SHA256

Indicates the required algorithm by this service provider.
SHA1
SHA-1 signature algorithm
SHA128
%signatureMethodAlgorithm.SHA128
SHA256
SHA-256 signature algorithm

spCookieName

string

Specifies a cookie name for the SAML service provider. The service provider will provide one by default.

spHostAndPort

string

Specifies the hostname and port number by which the IdP addresses this SAML service provider. Use this attribute if the browser needs to be redirected to a router or proxy server instead of directly connecting to the service provider. The format for the value for this attribute is (scheme)://(proxyOrRouterHost):(proxyOrRouterPort). For example, https://myRouter.com:443.

spLogout

boolean

false

Perform a SAML logout when you invoke the HttpServletRequest.logout method or the ibm_security_logout URL.

targetPageUrl

string

The default landing page for the IdP-initiated SSO if the relayState is missing. This property must be set to a valid URL if useRelayStateForTarget is set to false.

tokenReplayTimeout

A period of time with millisecond precision

30m

This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

useRelayStateForTarget

boolean

true

When doing IdP-initiated SSO, this property specifies if the relayState in a SAMLResponse should be used as the target URL. If set to false, the value for targetPageUrl is always used as the target URL.

userIdentifier

string

Specifies a SAML attribute that is used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used.

userUniqueIdentifier

string

Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.

wantAssertionsSigned

boolean

true

Indicates a requirement for the <saml:Assertion> elements received by this service provider to contain a Signature element that signs the Assertion.

authFilter

Specifies the authentication filter reference.

authFilter > cookie

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > host

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

authFilter > remoteAddress

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
ip	string		Specifies the remote host TCP/IP address.
matchType	contains equals greaterThan lessThan notContain	contains	Specifies the match type.

Name

Type

Default

Description

string

A unique configuration ID.

string

Specifies the remote host TCP/IP address.

matchType

contains
equals
greaterThan
lessThan
notContain

contains

Specifies the match type.

authFilter > requestHeader

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.
value	string		The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

value

string

The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
urlPattern	string Required		Specifies the URL pattern. The * character is not supported to be used as a wildcard.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

urlPattern

string
Required

Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent

A unique configuration ID.

Name	Type	Default	Description
agent	string Required		Specifies the browser's user agent to help identify which browser is being used.
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.

Name

Type

Default

Description

agent

string
Required

Specifies the browser's user agent to help identify which browser is being used.

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

authFilter > webApp

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Specifies the match type.
name	string Required		Specifies the name.

Name

Type

Default

Description

string

A unique configuration ID.

matchType

contains
equals
notContain

contains

Specifies the match type.

name

string
Required

Specifies the name.

pkixTrustEngine

Specifies the PKIX trust information that is used to evaluate the trustworthiness and validity of XML signatures in a SAML response. Do not specify multiple pkixTrustEngine in a samlWebSso20.

Name	Type	Default	Description
trustAnchorRef	A reference to top level keyStore element (string).		A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion.
trustedIssuers	string		Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted.

Name

Type

Default

Description

trustAnchorRef

A reference to top level keyStore element (string).

A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion.

trustedIssuers

string

Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted.

pkixTrustEngine > crl

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
path	string Required		Specifies the path to the crl.

Name

Type

Default

Description

string

A unique configuration ID.

path

string
Required

Specifies the path to the crl.

pkixTrustEngine > x509Certificate

A unique configuration ID.

Name	Type	Default	Description
id	string		A unique configuration ID.
path	string Required		Specifies the path to the x509 certificate.

Name

Type

Default

Description

string

A unique configuration ID.

path

string
Required

Specifies the path to the x509 certificate.