Sun OpenSSO Enterprise 8.0 Administration Reference

WS-Federation Identity Provider Customization

The following attributes apply to the WS-Federation Identity Provider role:

NameID Format

Defines the format of the name identifier component of the single sign-on response sent from the identity provider to the service provider. WS-Federation single sign-on supports the following identifier formats (default is UPN):

NameID Attribute

Defines the attribute in the user's profile that will be used as the name ID value. The default is uid.

Name Includes Domain

When using the UPN format defined in the NameID Format attribute, this specifies whether the NameID Attribute in the user's profile includes a domain. If it does, then the NameID Attribute will be used for the UPN as it is currently defined. Otherwise, it is combined with a domain to form a UPN.

Domain Attribute

When using the UPN format, if the Name Includes Domain attribute is not selected, this specifies an attribute in the user's profile to be used as the UPN domain.

UPN Domain

When using UPN format, if the Name Includes Domain attribute is not selected, and if a value for Domain Attribute is not specified, or if there is no value for that attribute for a particular user, then this attribute is used to constructing the UPN.

Signing Cert Alias

This attribute specifies the provider certificate alias used to find the assertion signing certificate in the keystore.

Claim Types

Specifies the claim type so the WS-Federation service can recognize the type of token that is exchanged between federation partners.

The EmailAddress claim type is used to identify a specific security principal by an email address.

The UPN claim type is used to identify a specific security principal via a User Principal Name.

The CommonName claim type is used to identify a security principal via a CN value consistent with X.500 naming conventions. The value of this claim is not necessarily unique and should not be used for authorization purposes.

Account Mapper

This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.DefaultIDPAccountMapper.

Attribute Mapper

This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultIDPAttributeMapper.

Attribute Map

Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Assertion Effective Time

Assertions are valid for a period of time and not before or after.

Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.