SAML Attributes

The SAML module is configured by applying values to its attributes. amSAML.xml is the XML service file that defines the attributes. All SAML attributes are global in that the values applied to them are carried across the Access Manager configuration and inherited by every organization defined in the instance of Access Manager.

For more information on service files, see Sun Java System Access Manager 7 2005Q4 Administration Guide.

Most attributes in the SAML module can be configured either through the Access Manager Console or the XML service file. amSAML.xml Attributes lists the attributes that can only be configured by modifying the amSAML.xml file. Console Attributes lists the attributes that can be configured using the console or the XML service file.

amSAML.xml Attributes

The following attributes can only be configured through the amSAML.xml file using the amadmin command-line interface.

• iplanet-am-saml-cleanup-interval is used to specify how often the internal thread is run to clean up expired assertions from the internal data store. The default is 180 seconds.

• iplanet-am-saml-assertion-max-number is used to specify the maximum number of assertions that the server can hold at one time. No new assertion is created if the maximum number is reached. The default value is 0, which means no limit.

To Modify Attributes in the amSAML.xml File

1. Duplicate the amSAML.xml service file and make any changes to the attributes.

2. Delete the old amSAML.xml service file.

3. Use amadmin to reload the newly modified amSAML.xml file.

   For more information on amadmin, see the Sun Java System Access Manager 7 2005Q4 Administration Guide.

Console Attributes

The following SAML attributes can be configured by using the Access Manager Console or by modifying amSAML.xml as described in amSAML.xml Attributes. When viewed using the Console, the SAML attributes are separated into the following groups:

• Properties Group

• Assertion

• Artifact

• Signing

Properties Group

The attributes in the Properties group are as follows:

• Target Specifier

• Site Identifiers

• Trusted Partners

• Target URLs

Target Specifier

This attribute assigns a name to the destination site URL value that is used in the redirects discussed in Profile Types. The default is TARGET. Only sites configured in the Trusted Partners attribute can be specified as a TARGET. For information, see Trusted Partners.

Site Identifiers

This attribute defines any site that is hosted by the server on which Access Manager is installed. A default value is defined for the host during installation (with values retrieved from AMConfig.properties), and a Site ID is automatically generated. Multiple entries are possible (for example, load balancing or multiple instances of Access Manager sharing the same Directory Server) although the default site identifier should always remain an entry.

If configuring SAML for SSL (in both the source and destination site), ensure that the protocol defined in the Instance ID attribute is HTTPS//.

To Configure a Site Identifier

You may also edit or duplicate entries already listed.

1. In the Access Manager Console, click the Federation tab.

2. Under Federation, click the SAML tab.

3. Select New under the Site Identifiers attribute.

4. Enter values for the following attributes:

   Instance ID

   The value of this property is protocol://host:port.

   Site ID

   This identifier is generated for each site, although the value will be the same for multiple servers behind a load balancer. To obtain this identifier manually, type the following at the command line:

   % #java -classpath AM-classpath \ com.sun.identity.saml.common.SAMLSiteID \protocol://host:port

   For more information, see com.sun.identity.saml.common Package.

   Issuer Name

   The value of this property is host:port.

5. Click OK.

Trusted Partners

This attribute defines any trusted partner (remote to the server on which Access Manager is installed) that will be communicating with Access Manager.

The trusted partner site must have a prearranged trust relationship with one or more of the sites configured in Site Identifiers.

Before configuring a trusted partner, you must determine the partner’s role in the trust relationship. A trusted partner can be a source site (one that generates a single sign-on assertion) or a destination site (one that receives a single sign-on assertion). Following is the procedure for configuring a trusted partner.

To Configure a Trusted Partner

The Trusted Partners attribute can contain one or more entries. Each entry is configured based on the site's defined role. For example, if the partner is the source site, this attribute is configured based on how it will send assertions. If the partner is the destination site, this attribute is configured based on which profile it uses to receive assertions.

1. In the Access Manager Console, click the Federation tab.

2. Under Federation, click the SAML tab.

3. Select New under the Trusted Partners attribute.

4. Select the role (Destination or Source) of the partner site that you are configuring by checking the appropriate profiles used to communicate with it and click Next.

   Select Web Browser Artifact Profile or Web Browser Post Profile for either Destination, Source, or both, or SOAP Query for Source. The choices made dictate which of the attributes in the following steps need to be configured.

5. Type values for the Common Settings subattributes based on the selected roles.

   Source ID

   This is a 20–byte sequence (encoded using the Base64 format) that comes from the partner site. It is generally the same value as that used for the Site ID attribute when configuring Site Identifiers.

   Target

   This is the domain of the partner site (with or without a port number). If you want to contact a web page that is hosted in this domain, the redirect URL is picked up from the values defined in Trusted Partners.

   ---

   Note –

   If there are two defined entries for the same domain (one containing a port number and one without a port number), the entry with the port number takes precedence. For example, assume the following two trusted partner definitions: target=sun.com and target=sun.com:8080. If the principal is seeking http://machine.sun.com:8080/index.html, the second definition will be chosen.

   ---

   Site Attribute Mapper

   The class is used to return a list of attribute values defined as AttributeStatements elements in an Authentication Assertion. A site attribute mapper needs to be implemented from one of the included interfaces:

   • com.sun.identity.saml.plugins.SiteAttributeMapper

   • com.sun.identity.saml.plugins.PartnerSiteAttributeMapper

   If no class is defined, no attributes will be included in the assertion. For more information, see SiteAttributeMapper and PartnerSiteAttributeMapper Interfaces.

   Version

   The SAML version used (1.0 or 1.1) to send SAML requests. If this parameter is not defined, the following default values (defined in AMConfig.properties) are used:

   • com.example.identity.saml.assertion.version=1.1

   • com.example.identity.saml.protocol.version=1.1

   Account Mapper

   The class that defines how the subject of an assertion is related to an identity at the destination site. The default is com.sun.identity.saml.plugins.DefaultAccountMapper. An account mapper needs to be implemented from one of the included interfaces:

   • com.sun.identity.saml.plugins.AccountMapper

   • com.sun.identity.saml.plugins.PartnerAccountMapper

   If no class is defined, no attributes will be included in the assertion. For more information, see AccountMapper and PartnerAccountMapper Interfaces.

   Certificate

   A certificate alias that is used to verify the signature in an assertion when it is signed by the partner and the certificate cannot be found in the KeyInfo portion of the signed assertion.

   Host List

   A list of the IP addresses, the DNS host name, or the Certificate name for all hosts within the partner site that can send requests to this authority. This list helps to ensure that the requestor is indeed the intended receiver of the artifact. If the requester is defined in this list, the interaction will continue. If the requester’s information does not match any hosts defined in the host list, the request will be rejected.

   Issuer

   The creator of a generated assertion. The default syntax is hostname:port.

6. Type values for the Destination subattributes.

   Artifact: SAML URL

   The URL that points to the servlet that implements the Web Browser Artifact Profile. See Web Browser Artifact Profile.

   Post: Post URL

   The URL that points to the servlet that implements the Web Browser POST Profile. See Web Browser POST Profile.

   SOAP Query: Attribute Mapper

   The class that is used to obtain single sign-on information from a query. You need to implement an attribute mapper from the included interface. If no class is specified, the DefaultAttributeMapper will be used. For more information, see com.sun.identity.saml.plugins Package.

   SOAP Query: Action Mapper

   The class that is used to get single sign-on information and map partner actions to Access Manager authorization decisions. You need to implement an action mapper from the included interface. If no class is specified, the DefaultActionMapper will be used. For more information, see com.sun.identity.saml.plugins Package.

7. Type values for the Source subattributes.

   Artifact: SOAP URL

   The URL to the SAML SOAP Receiver. See SAML SOAP Receiver.

   Authentication Type

   Authentication types that can be used with SAML:

   • NOAUTH

   • BASICAUTH

   • SSL

   • SSLWITHBASICAUTH

   This attribute is optional. If not specified, the default is NOAUTH. If BASICAUTH or SSLWITHBASICAUTH is specified, the Trusted Partners attribute is required and should be HTTPS. For more information, see Trusted Partners.

   User

   When Basic Authentication is chosen as the Authentication Type, the value of this attribute defines the user identifier of the partner being used to protect the partner’s SOAP receiver.

   User's Password

   When Basic Authentication is chosen as the Authentication Type, the value of this attribute defines the password for the user identifier of the partner being used to protect the partner’s SOAP receiver.

   User's Password (reenter)

   Reenter the password defined previously.

8. Click Finish to complete the configuration.

Target URLs

If the TARGET URL received through either profile is listed as a value of this attribute, the assertions received will be sent to the TARGET URL using an HTTP FORM POST.

Do not use test URLs or any other additional URLs in a POST.

To configure this attribute, type values for the following subattributes:

Protocol

Choose either http or https.

Server Name

The name of the server on which the TARGET URL resides, such as www.sun.com.

Port

The port number, such as 58080.

Path

The URI, such as /amserver/console.

Assertion

The attributes in the Assertion group are as follows:

• Assertion Timeout

• Assertion Skew Factor For notBefore Time

Assertion Timeout

This attribute specifies the number of seconds before a timeout occurs on an assertion. The default is 420.

Assertion Skew Factor For notBefore Time

This attribute is used to calculate the notBefore time of an assertion. For example, if IssueInstant is 2002-09024T21:39:49Z, and Assertion Skew Factor For notBefore Time is set to 300 seconds (180 is the default value), the notBefore attribute of the conditions element for the assertion would be 2002-09-24T21:34:49Z.

The total valid duration of an assertion is defined by the values set in both the Assertion Timeout and Assertion Skew Factor For notBefore Time attributes.

Artifact

The attributes in the Artifact group are as follows:

• Artifact Timeout

• SAML Artifact Name

For more information about artifacts, see Web Browser Artifact Profile.

Artifact Timeout

This attribute specifies the period of time an assertion that is created for an artifact will be valid. The default is 400.

SAML Artifact Name

This attribute assigns a variable name to a SAML artifact. The artifact is bounded-size data that identifies an assertion and a source site. It is carried as part of a URL query string and conveyed by redirection to the destination site. The default name is SAMLart. Using the default SAMLart, the redirect query string could be http://host:port/deploy-URI/SamlAwareServlet?TARGET=target-URL/&SAMLart=artifact123.

Signing

The attributes in the Signing group are as follows:

• Sign SAML Assertion

• Sign SAML Request

• Sign SAML Response

Sign SAML Assertion

This attribute specifies whether all SAML assertions will be digitally signed (XML DSIG) before being delivered. Selecting the check box enables this feature.

Sign SAML Request

This attribute specifies whether all SAML requests will be digitally signed (XML DSIG) before being delivered. Selecting the check box enables this feature.

Sign SAML Response

This attribute specifies whether all SAML responses will be digitally signed (XML DSIG) before being delivered. Selecting the check box enables this feature.

All SAML responses used by the Web Browser POST Profile are digitally signed whether or not this feature is enabled.