Global Properties contain services that enable to define password reset functionality and policy configuration for OpenSSO Enterprise. The services you can configure are:
This attribute specifies the implementation class for the com.sun.identity.plugin.datastore.DataStoreProvider SPI which is used for managing federation user data store information.
This attribute specifies the implementation class for the com.sun.identity.plugin.configuration.ConfigurationInstance SPI which is used for managing federation service configuration data.
This attribute specifies the implementation class for the com.sun.identity.plugin.log.Logger SPI which is used for managing federation logging.
This specifies the implementation class for the com.sun.identity.plugin.session.SessionProvider SPI which is used for managing federation session.
This attribute specifies the maximum allowed content length for an HTTP Request that will be used in federation services. Any request whose content exceeds the specified maximum content length will be rejected.
This attribute specifies the implementation class for the com.sun.identity.saml.xmlsig.PasswordDecoder interface which is used to decode stored password for XML signing keystore and password for basic authentication under SAML 1.x.
This attribute specifies the SAML XML signature provider class. The default SPI is com.sun.identity.saml.xmlsig.AMSignatureProvider.
This attribute specifies the XML signature key provider class. The default SPI is com.sun.identity.saml.xmlsig.JKSKeyProvider.
If set to on, the certificate must be presented to the keystore for XML signature validation. If set to off, presence checking of the certificate is skipped. This applies to SAML1.x only.
This attribute specifies XML cannonicalization algorithm used for SAML XML signature generation and verification. The default value is http://www.w3.org/2001/10/xml-exc-c14n#.
This attribute specifies XML signature algorithm used for SAML XML Signature generation and verification. When not specified or value is empty, the default value (http://www.w3.org/2000/09/xmldsig#rsa-sha1) is used.
This attribute specifies transformation algorithm used for SAML XML signature generation and verification. When not specified or the value is empty, the default value (http://www.w3.org/2001/10/xml-exc-c14n#) is used.
This attribute specifies the name of the ID-FF Services cookie. The cookie is used to remember if the user is federated already.
This attribute specifies the implementation class for finding a preferred identity provider to be proxied.
This attribute specifies the cleanup interval (in seconds) for ID-FF internal request cleanup thread.
This attribute specifies the timeout value (in seconds) for the ID-FF Authentication Request. AnyAuthnRequest object will be purged from the memory if it exceeds the timeout value.
This attribute specifies the login URL to which the IDP will redirect if a valid session is not found while processing the Authentication Request. If the key is not specified, a default login URL is used.
This attribute specifies the level of signature verification for Liberty requests and responses.
This attribute specifies the implementation class name for the com.sun.identity.liberty.ws.security.SecurityAttributePlugin interface. The class returns a list of SAML attributes to be included in the credentials generated by the Discovery Service.
The value set in this attribute is used in the com.sun.identity.liberty.ws.security.LibSecurityTokenProvider implementation class. It specifies the data type to be put into the KeyInfo block inside the XML signature. If value is certificate, the signer's X059 Certificate will be included inside KeyInfo. Otherwise, corresponding DSA/RSA key will be included in KeyInfo.
This attribute specifies the implementation class for the security token provider.
This attribute specifies default certificate alias for the issuing web service security token for this web service client.
This attribute specifies the certificate alias for the trusted authority that will be used to sign the SAML or SAML BEARER token of response message.
This attribute specifies the certificate aliases for trusted CA. SAML or SAML BEARER tokens of an incoming request. The message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|.....
Example: myalias1:myissuer1|myalias2|myalias3:myissuer3.
The value issuer is used when the token does not have a KeyInfo inside of the signature. The issuer of the token must be in this list and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.
This attribute indicates whether the web service provider will redirect the user for consent. The default value is yes.
This initiates an interaction to get user consent or to collect additional data. This property indicates whether the web service provider will redirect the user to collect additional data. The default value is yes.
This attribute indicates the length of time (in seconds) that the web service provider expects to take to complete an interaction and return control back to the web service client. For example, the web service provider receives a request indicating that the web service client will wait a maximum 30 seconds (set in WSC's Expected Duration for Interaction) for interaction. If this attribute is set to 40 seconds, the web service provider returns a SOAP fault (timeNotSufficient), indicating that the time is insufficient for interaction.
This attribute indicates whether the web service provider will enforce a HTTPS returnToURLspecified by the web service client. The Liberty Alliance Project specifications state that the value of this property is always yes. The false value is primarily meant for ease of deployment in a phased manner.
This attribute indicates whether the web service provider would enforce the address values of returnToHost and requestHost if they are the same. The Liberty Alliance Project specifications state that the value of this property is always yes. The false value is primarily meant for ease of deployment in a phased manner.
This attribute points to the location of the style sheet that is used to render the interaction page in HTML.
This attribute points to the location of the style sheet that is used to render the interaction page in WML.
This attribute specifies the URL where the WSPRedirectHandler servlet is deployed. The servlet handles the service provider side of interactions for user redirects.
Defines the WSP redirect handler URL exposed by a Load Balancer.
Defines the WSP redirect handler URLs of trusted servers in the cluster.
This attribute specifies the class that provides access methods to read interaction configurations.
This attribute indicates the level of interaction in which the WSC will participate if configured to participate in user redirects. The possible values are interactIfNeeded, doNotInteract, and doNotInteractForData. The affirmative interactIfNeeded is the default.
This attribute indicates whether the web service client will include a SOAP header to indicate certain preferences for interaction based on the Liberty specifications. The default value is yes.
This attribute defines whether the WSC will participate in user redirections. The default value is yes.
This attribute defines the maximum length of time (in seconds) that the web service client is willing to wait for the web service provider to complete its portion of the interaction. The web service provider will not initiate an interaction if the interaction is likely to take more time than what is set. For example, the web service provider receives a request where this property is set to a maximum 30 seconds. If the web service provider property WSP's Expected Duration for Interaction is set to 40 seconds, the web service provider returns a SOAP fault (timeNotSufficient), indicating that the time is insufficient for interaction.
This attribute specifies whether the web service client will enforce HTTPS in redirected URLs. The Liberty Alliance Project specifications state that the value of this property is always yes, which indicates that the web service provider will not redirect the user when the value of redirectURL (specified by the web service provider) is not an HTTPS URL. The false value is primarily meant for easy, phased deployment.
This attribute defines a list of values each specifying a Single Logout Handler implementation class for an individual federation protocol. Each value has following format: key=Federation_Protocol_Name|class=SPI_Implementation_Class_Name
The default is, OASIS SAMLv2 (key=SAML2),
Liberty ID-FF (key=IDFF) and WS-Federation (key=WSFED) are defined in the list. For example:
key=SAML2|class=com.sun.identity.multiprotocol.SAML2SingleLogoutHandler key=IDFF|class=com.sun.identity.multiprotocol.IDFFSingleLogoutHandler key=WSFED|class=com.sun.identity.multiprotocol.WSFederationSingleLogoutHandler |
OpenSSO Enterprise provides a Password Reset service to allow users to receive an email message containing a new password or to reset their password for access to a given service or application protected by OpenSSO Enterprise. The Password Reset attributes are realm attributes. The attributes are:
This attribute specifies the name of user attribute that is used to search for the user whose password is to be reset.
This field allows you to add a list of questions that the user can use to reset his/her password. To add a question, type it in the Secret Question filed and click Add. The selected questions will appear in the user's User Profile page. The user can then select a question for resetting the password. Users may create their own question if the Personal Question Enabled attribute is selected.
This attribute specifies the search filter to be used to find user entries.
This attribute specifies the DN from which the user search will start. If no DN is specified, the search will start from the realm DN. You should not use cn=directorymanager as the base DN, due to proxy authentication conflicts.
This attribute value is used with Bind Password to reset the user password.
This attribute value is used with Bind DN to reset the user password.
Confirm the password.
This attribute determines the classname for resetting the password. The default classname is com.sun.identity.password.RandomPasswordGenerator . The password reset class can be customized through a plug-in. This class needs to be implemented by the PasswordGenerator interface.
This attribute determines the method for user notification of password resetting. The default classname is: com.sun.identity.password.EmailPassword The password notification class can be customized through a plug-in. This class needs to be implemented by the NotifyPassword interface. See the OpenSSO Enterprise Developer's Guide for more information.
Selecting this attribute will enable the password reset feature.
Selecting this attribute will allow a user to create a unique question for password resetting.
This value specifies the maximum number of questions to be asked in the password reset page.
When enabled, this option forces the user to change his or her password on the next login. If you want an administrator, other than the top-level administrator, to set the force password reset option, you must modify the Default Permissions ACIs to allow access to that attribute.
This attribute specifies whether to disallow users to reset their password if that user initially fails to reset the password using the Password Reset application. By default, this feature is not enabled.
This attributes defines the number of attempts that a user may try to reset a password, within the time interval defined in Password Reset Failure Lockout Interval, before being locked out. For example, if Password Reset Failure Lockout Count is set to 5 and Login Failure Lockout Interval is set to 5 minutes, the user has five chances within five minutes to reset the password before being locked out.
This attribute defines (in minutes) the amount of time in which the number of password reset attempts (as defined in Password Reset Failure Lockout Count) can be completed, before being locked out.
This attribute specifies an email address that will receive notification if a user is locked out from the Password Reset service. Specify multiple email address in a space-separated list.
This attribute specifies the number of password reset failures that can occur before OpenSSO Enterprise sends a warning message that user will be locked out.
This attribute defines (in minutes) the duration that user will not be able to attempt a password reset if a lockout has occurred.
This attribute contains the inetuserstatus value that is set in Password Reset Lockout Attribute Value. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.
This attribute specifies the inetuserstatus value (contained in Password Reset Lockout Attribute Name) of the user status, as either active or inactive. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.
The Policy Configuration attributes enable the administrator to set configuration global and realm properties used by the Policy service.
The Global Properties are:
Specifies the resource comparator information used to compare resources specified in a Policy rule definition. Resource comparison is used for both policy creation and evaluation.
Click the Add button and define the following attributes:
Specifies the service to which the comparator should be used.
Defines the Java class that implements the resource comparison algorithm.
Specifies the delimiter to be used in the resource name.
Specifies the wildcard that can be defined in resource names.
Matches zero or more characters, at the same delimiter boundary.
Specifies if the comparison of the two resources should consider or ignore case. False ignores case, True considers case.
Specifies whether or not the policy framework should continue evaluating subsequent policies, even if a DENY policy decision exists. If it is not selected (default), policy evaluation would skip subsequent policies once the DENY decision is recognized.
Defines the names of policy advice keys for which the Policy Enforcement Point (Policy Agent) would redirect the user agent to OpenSSO Enterprise. If the agent receives a policy decision that does not allow access to a resource, but does posses advices, the agent checks to see whether it has a advice key listed in this attribute.
If such an advice is found, the user agent is redirected to OpenSSO Enterprise, potentially allowing the access to the resource.
When set to Yes, this attribute allows you to create policies in sub-realms without having to create referral policies from the top-level or parent realm. You can only create policies to protect HTTP or HTTPS resources whose fully qualified hostname matches the DNSAlias of the realm. By default, this attribute is defined as No.
The LDAP Properties are:
Specifies the host name and port number of the primary LDAP server specified during OpenSSO Enterprise installation that will be used to search for Policy subjects, such as LDAP users, LDAP roles, LDAP groups, and so forth.
The format is hostname:port. For example: machine1.example.com:389
For failover configuration to multiple LDAP server hosts, this value can be a space-delimited list of hosts. The format is hostname1:port1 hostname2:port2...
For example: machine1.example1.com:389 machine2.example1.com:389
Multiple entries must be prefixed by the local server name. This is to allow specific OpenSSO Enterprise instances to be configured to talk to specific Directory Servers.
The format is servername|hostname:port For example:
machine1.example1.com|machine1.example1.com:389
machine1.example2.com|machine1.example2.com:389
For failover configuration:
AM_Server1.example1.com|machine1.example1.com:389 machine2.example.com1:389
AM_Server2.example2.com|machine1.example2.com:389 machine2.example2.com:389
Specifies the base DN in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation.
This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation base.
Defines the DN of the realm or organization which is used as a base while searching for the values of OpenSSO Enterprise Roles. This attribute is used by the AccessManagerRoles policy subject.
Specifies the bind DN in the LDAP server.
Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.
Confirm the password.
Specifies the search filter to be used to find organization entries. The default is (objectclass=sunMangagedOrganization).
Defines the scope to be used to find organization entries. The scope must be one of the following:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Defines the scope to be used to find group entries. The scope must be one of the following:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).
Specifies the search filter to be used to find user entries. The default is (objectclass=inetorgperson).
Defines the scope to be used to find user entries. The scope must be one of the following:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Specifies the search filter to be used to find entries for roles. The default is (&(objectclass=ldapsubentry)(objectclass=nsroledefinitions)) .
This attribute defines the scope to be used to find entries for roles. The scope must be one of the following:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Defines the scope to be used to find entries for OpenSSO Enterprise Roles subject.
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Defines the attribute type for which to conduct a search on an organization. The default is o.
Defines the attribute type for which to conduct a search on a group. The default is cn.
Defines the attribute type for which to conduct a search on a user. The default is uid.
This field defines the attribute type for which to conduct a search on a role. The default is cn.
This field defines the maximum number of results returned from a search. The default value is 100. If the search limit exceeds the amount specified, the entries that have been found to that point will be returned.
Specifies the amount of time before a timeout on a search occurs. If the search exceeds the specified time, the entries that have been found to that point will be returned
Specifies whether or not the LDAP server is running SSL. Selecting enables SSL, deselecting (default) disables SSL.
If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL-trusted certificates so that OpenSSO Enterprise can connect to Directory server over LDAPS protocol.
Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.
This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.
Allows you to select a set of subject types available to be used for policy definition in the realm.
Allows you to select a set of conditions types available to be used for policy definition in the realm.
Allows you to select a set of referral types available to be used for policy definition in the realm.
This attribute specifies the amount of time (in minutes) that a cached subject result can be used to evaluate the same policy request based on the single sign-on token.
When a policy is initially evaluated for an SSO token, the subject instances in the policy are evaluated to determine whether the policy is applicable to a given user. The subject result, which is keyed by the SSO token ID, is cached in the policy. If another evaluation occurs for the same policy for the same SSO token ID within the time specified in the Subject Result Time To Live attribute, the policy framework retrieves the cached subjects result, instead of evaluating the subject instances. This significantly reduces the time for policy evaluation.
This attribute must be enabled if you create a policy to protect a resource whose subject's member in a remote Directory Server aliases a local user. This attribute must be enabled, for example, if you create uid=rmuser in the remote Directory Server and then add rmuser as an alias to a local user (such as uid=luser) in OpenSSO Enterprise. When you login as rmuser, a session is created with the local user (luser) and policy enforcement is successful.
Defines the policy response provider plug-ins that are enabled for the realm. Only the response provider plug-ins selected in this attribute can be added to policies defined in the realm.
Defines the dynamic response attributes that are enabled for the realm. Only a subset of names selected in this attribute can be defined in the dynamic attributes list in IDResponseProvider to be added to policies defined in the realm.
This attribute specifies the duration (in seconds) between each cache cleanup.
Specifies the attribute name used to store name identifier information on a user's entry. If nothing is specified, the default attribute (sun-fm-saml2-nameid-info) will be used. The corresponding datastore bind user must have read/write/search/compare permission to this attribute.
Specifies the attribute name used to store name identifier key on a user's entry. If not specified, the default attribute (sun-fm-saml2-nameid-infokey) will be used. The corresponding datastore bind user must have read/write/search/compare permission to this attribute. You must also must make sure that the equality type index is added.
Specifies the cookie domain for the SAMLv2 IDP discovery cookie.
Specifies cookie type used in SAMLv2 IDP Discovery Service, either Persistent or Session. Default is Session.
Specifies URL scheme used in SAMLv2 IDP Discovery Service.
Specifies implementation class name for the SAMLv2 Encryption Provider interface. The class is used to perform XML encryption and decryption in SAMLv2 profiles.
This is used in the com.sun.identity.saml2.xmlenc.FMEncProvider class. If enabled, it will include EncryptedKey inside a KeyInfo in the EncryptedData element when performing XML encryption operation. If it is not enabled, EncryptedKey is paralleled to the EncryptedData element. Default is enabled.
If enabled, the signing certificate used by identity provider and service provider will be validated against certificate revocation list (CRL) configured in the Security settings under the Sites and Servers tab. If the certificate is not validated and accepted, it will stop and return a validation error without doing further XML signature validation.
If enabled, the SAML identity provider or service provider will validate the certificate that is used in signing . If the certificate is validated and accepted, the provider will validate the signature. If not, it will stop and return a validation error.
If enabled, the signing certificate used by identity provider and service provider will be validated against the trusted CA list. If the certificate is not validated and accepted, it will stop and return a validation error without doing further XML signature validation.
The SAMLv2 SOAP Binding service provides SOAP-based exchange of SAMLv2 Request and Response message between a OpenSSO Enterprise Client and the OpenSSO Enterprise Server. The requests received are delegated to the request handler for further processing. The key to the Request Handler and the meta alias is in the SOAP Binding service URL. A mapping of the meta alias and the RequestHandler is stored in the SAMLv2 SOAP Binding service which can be read from the OpenSSO Enterprise configuration store.
The RequestHandlerList is a list of key/value pair entries containing the mapping of the meta alias to the RequestHandler implementation. This attribute must be set if a OpenSSO Enterprise 8.0 server is being configured to act as Policy Decision Point (PDP).
The Key is the Policy Decision Point meta alias and the Class is the Java class name, which is the implementation of RequestHandler Interface which can process XACML Requests.
For example, If the meta Alias of the XACML Policy Decision Point is /pdp and the implementation of the interface is com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler, then the key should be set to /pdp and the class should be set to com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler.
The RequestHandler interface must be implemented on the server side by each SAMLv2 service that uses the SOAP Binding Service. The Request Handler List attribute stores information about the implementation classes that implement the Request Handler. The Request Handler List displays entries that contain key/value pairs.
Click New to display the New Request Handler attributes or click on a configured key value to modify existing attributes.
Provide values for the attributes based on the following information:
The Key is the Policy Decision Point meta alias.
The Class is the Java class name, which is the implementation of RequestHandler Interface which can process XACML Requests.
Click OK to complete the Request Handler configuration.
Click Save on the SAMLv2 SOAP Binding page to complete the service configuration.
The attributes contained in this service define the dynamic configuration for the OpenSSO Enterprise Security Token Service (STS). These attributes define the following configuration:
Issuing and creating security tokens
Web services security for the STS itself for securing STS service endpoints. The Signing and Encryption attributes configures the server provider validation of incoming WS-Trust requests and secures outgoing WS-Trust responses. The Security Mechanism attribute defines the security credential of the security tokens.
SAML configuration to request SAML attribute mapping in the security token (through a SAML assertion) when the configured STS is specified as a web service provider and receives a SAML token (assertion) generated by a remote STS.
Security token validation received from a web service provider when the token was generated by a remote STS.
You can create dynamic configuration profiles for different OpenSSO Enterprise web services security providers in the Centralized Agent Configuration under the Realms tab.
The name of the Security Token service that issues the security tokens.
This field takes a value equal to:
%protocol://%host:%port%uri/sts
This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.
When enabled, this attribute encrypts the key issued by the Security Token service.
When enabled, this attribute encrypts the security token issued by the Security Token service.
Defines the amount of time for which the issued token is valid.
This attribute specifies the implementation class for the security token provider/issuer.
Defines the alias name for the certificate used to sign the security token issues by the Security Token service.
Defines the implementation class for the end user token conversion.
Defines the type of security credential that is used to secure the security token itself, or the security credential accepted by the Security Token service from the incoming WS-Trust request sent the by the client. You can choose from the following security types:
Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos tokens.
LibertyBearerToken – Uses the Liberty-defined bearer token.
LibertySAMLToken – Uses the Liberty-defined SAML token.
LibertyX509Token – Uses the Liberty-defined X509 certificate.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
UserNameToken — Uses a user name token to secure the Security Token service requests.
UserNameToken-Plain — Uses a user name token with a clear text password for securing Security Token service requests.
X509Token — Uses the X509 certificate to secure the Security token.
Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming issuer request's security token to generate OpenSSO Enterprise's authenticated security token.
The attribute represents the username/password shared secrets that are used by the Security Token service to validate a UserName token sent by the client as part of the incoming WS-Trust request.
Specifies that the Security Token service must verify the signature of the incoming WS-Trust request.
Specifies that all request headers received by the Security Token Service must be decrypted.
Specifies that all requests received by the Security Token Service must be decrypted.
Specifies that all responses received by the Security Token Service must be signed.
Specifies that all responses sent by the Security Token service must be encrypted.
Defines the reference types used when the Security Token service signs the WS-Trust response. The possible reference types are DircectReference, KeyIdentifier, and X509.
Defines the encryption algorithm used by the Security Token service to encrypt the WS-Trust response.
Sets the encryption strength used by he Security Token service to encrypt the WS-Trust response. Select a greater value for greater encryption strength.
This attribute defines the private certificate key alias that is used to sign the WS-Trust response or to decrypt the incoming WS-Trust request.
This attribute defines the certificate private key type used for signing WS-Trust responses or decrypting WS-Trust requests. The possible types are PublicKey, SymmetricKey, or NoProofKey.
Defines the public certificate key alias used to verify the signature of the incoming WS-Trust request or to encrypt the WS-Trust response.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
Specifies the Kerberos principal as the owner of the generated Security token.
Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.
This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:
hostname.HTTP.keytab
hostname is the hostname of the OpenSSO Enterprise instance.
If enabled, this attribute specifies that the Kerberos token is signed.
All of the following SAML-related attributes are to be used in the configuration where the current instance of the Security Token service haves as the web service provider and receives a SAML Token generated from another Security Token service instance.
This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.
SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.
The SAML NameID Mapper for an assertion that is generated for the Security Token service.
When enabled, the generated assertion contains user memberships as SAML attributes.
Defines the SAML Attribute Namespace for an assertion that is generated for the Security Token service.
Defines a list of trusted issuers that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these issuers.
Defines a list of IP addresses that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these hosts.
The Session service defines values for an authenticated user session such as maximum session time and maximum idle time. The Session attributes are global, dynamic, or user attributes. The attributes are:
Provides the connection information for the session repository used for the session failover functionality in OpenSSO Enterprise. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart.
Enter a name for the new Sub Configuration.
Enter data for the following fields:
Defines the database user who is used to retrieve and store the session data.
Defines the password for the database user defined in Session Store.
Confirm the password.
Defines the total time a thread is willing to wait for acquiring a database connection object. The value is in milliseconds.
Specifies the URL of the database.
Click Add.
This attribute specifies the maximum number of results returned by a session search. The default value is 120.
This attributed defines the maximum amount of time before a session search terminates. The default value is 5 seconds.
Enables or disables the feature session property change notification. In a single sign-on environment, one OpenSSO Enterprise session can be shared by multiple applications. If this feature is set to ON, if one application changes any of the session properties specified in the Notification Properties list (defined as a separate session service attribute), the notification will be sent to other applications participating in the same single sign-on environment.
Enables or disables session quota constraints. The enforcement of session quota constraints enables administrators to limit a user to have a specific number of active/concurrent sessions based on the constraint settings at the global level, or the configurations associated with the entities (realm/role/user) to which this particular user belongs.
The default setting for this attribute is OFF. You must restart the server if the settings are changed.
Defines the amount of time (in number of milliseconds) that an inquiry to the session repository for the live user session counts will continue before timing out.
After the maximum read time is reached, an error is returned. This attribute will take effect only when the session quota constraint is enabled in the session failover deployment. The default value is 6000 milliseconds. You must restart the server if the settings are changed.
Specifies whether the users with the Top-level Admin Role should be exempt from the session constraint checking. If YES, even though the session constraint is enabled, there will be no session quota checking for these administrators.
The default setting for this attribute is NO. You must restart the server if the settings are changed. This attribute will take effect only when the session quota constraint is enabled.
Specifies the resulting behavior when the user session quota is exhausted. There are two selectable options for this attribute:
The next expiring session will be destroyed.
The new session creation request will be denied.
This attribute will take effect only when the session quota constraint is enabled and the default setting is DESTROY_OLD_SESSION .
If set to YES, this attribute will enforce user lockout to the server when the session repository is down. This attribute takes effect only when the session Enable Quota Constrain is selected.
When a change occurs on a session property defined in the list, the notification will be sent to the registered listeners. The attribute will take effect when the feature of Session Property Change Notification is enabled.
When set to YES, a minimum set of session properties are stored by the server between the session timeout and purge delay states. This is used to improve memory performance. The following properties are stored:
loginURL
SessionTimedOut
SAML2IDPSessionIndex
SAML2IDPSessionIndex
If set to OFF, then all session-related attributes are stored by OpenSSO Enterprise after a session timeout.
This attribute accepts a value in minutes to express the maximum time before the session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 120. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.) Max Session Time limits the validity of the session. It does not get extended beyond the configured value.
This attribute accepts a value (in minutes) equal to the maximum amount of time without activity before a session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 30. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.)
This attribute accepts a value (in minutes) equal to the maximum interval before the client contacts OpenSSO Enterprise to refresh cached session information. A value of 0 or higher will be accepted. The default value is 3. It is recommended that the maximum caching time should always be less than the maximum idle time.
Specifies the maximum number of concurrent sessions allowed for a user.
The default user preferences are defined through the user service. These include time zone, locale and DN starting view. The User service attributes are dynamic attributes.
This field specifies the user's choice for the text language displayed in the OpenSSO Enterprise console. The default value is en. This value maps a set of localization keys to the user session so that the on-screen text appears in a language appropriate for the user.
This field specifies the time zone in which the user accesses the OpenSSO Enterprise console. There is no default value.
If this user is a OpenSSO Enterprise administrator, this field specifies the node that would be the starting point displayed in the OpenSSO Enterprise console when this user logs in. There is no default value. A valid DN for which the user has, at the least, read access can be used.
This option indicates the default status for any newly created user. This status is superseded by the User Entry status. Only active users can authenticate through OpenSSO Enterprise. The default value is Active. Either of the following can be selected from the pull-down menu:
The user can authenticate through OpenSSO Enterprise.
The user cannot authenticate through OpenSSO Enterprise, but the user profile remains stored in the directory.
The individual user status is set by registering the User service, choosing the value, applying it to a role and adding the role to the user's profile.