Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

SAML Identity Asserter V2: Asserting Party: Configuration

Configuration Options     Related Tasks     Related Topics

Configure an Asserting Party that can generate SAML assertions consumed by this SAML Identity Assertion provider.

Configuration Options

Name Description
Partner ID

The Asserting Party ID.

Description

A short description of this Asserting Party.

MBean Attribute:
SAMLIdentityAsserterV2MBean.Description

Changes take effect after you redeploy the module or restart the server.

Enabled

Specifies whether this Asserting Party can be used to obtain SAML assertions.

Profile

The SAML profile used with this partner: one of Browser/Artifact, Browser/POST, WSS/Sender-Vouches, or WSS/Holder-of-Key.

Target URL

The target URL of this SAML Asserting Party.

POST Signing Certificate Alias

The alias of the certificate trusted for verifying signatures on SAML protocol elements from this Asserting Party. The certificate must be registered in the SAML Identity Asserter's certificate registry. Must be set for Browser/POST profile.

Partner Source Site ID

The Source ID of the SAML Source Site represented by this Asserting Party. Used for Browser/Artifact profile only, to look up the partner configuration corresponding to an artifact that has been received.

Assertion Retrieval URL

The Assertion Retrieval Service (ARS) URL of the SAML Source Site represented by this configuration. Used with Browser/Artifact profile only, to retrieve the assertion corresponding to an artifact.

Assertion Retrieval Username

An optional user name used to authenticate when connecting to the ARS URL.

Assertion Retrieval Password

An optional password used to authenticate when connecting to the ARS URL.

Source Site Redirect URIs

An optional set of URIs from which unauthenticated users will be redirected to the configured ITS URL. If set, the IntersiteTransferURL must also be set.

Source Site ITS URL

The Intersite Transfer Service (ITS) URL of the SAML Source Site for this Asserting Party.

Used with SSO profiles only, to support the destination site first scenario, whereby a user tries to access a destination site URL prior to being authenticated and is redirected to the source site to be authenticated and obtain a SAML assertion. The Redirect URIs attribute must also be configured for source-site redirection to work.

Source Site ITS Parameters

Optionally, zero or more query parameters, of the form name=value, that will be added to the ITS URL when redirecting to the source site.

Issuer URI

The issuer URI of the SAML Authority issuing assertions for this SAML Asserting Party.

Audience URI

An optional set of SAML Audience URIs. If set, an incoming assertion must contain at least one of the specified URIs in order to be considered valid.

Signature Required

If true, assertions must be signed. If false, signature elements are not required, but will be verified if present.

Assertion Signing Certificate Alias

The alias of the certificate trusted for verifying signatures on assertions from this Asserting Party. This must be set if Signature Required is true. The certificate must also be registered in the SAML Identity Asserter's certificate registry.

Name Mapper Class

The name mapper class of this SAML Identity Asserter Version 2 Asserting Party.

Process Groups Attribute

Indicates whether the SAML Identity Asserter should look for a SAML AttributeStatement containing group names when processing an incoming assertion. Default value is false.

Allow Virtual Users

Indicates whether the SAML Identity Asserter is allowed to create user/group principals for the user represented by an incoming assertion.

If true, the SAML Authentication provider should also be configured for the realm. This setting enables the SAML Identity Asserter to create user/group principals, with the possible result that the user is logged in as a virtual user -- a user that does not correspond to any locally-known user. If false, the SAML Identity Asserter will not create user/group principals for the user, and identity assertion will fail unless the user is authenticated by some other authentication provider, indicating that the user name corresponds to a known local user.

Related Tasks

Related Topics


Back to Top