Assertion Processing

• Attribute Mapper

• Auto Federation

• Account Mapper

• Artifact Message Encoding

• Transient User

• URL

• Default Relay State

• Adapter

Attribute Mapper

Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultSPAttributeMapper.

Mappings should be configured in the format:

SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Auto Federation

If enabled, Auto-federation automatically federates a user's different provider accounts based on a common attribute. The Attribute field specifies the attribute used to match a user's different provider accounts when auto-federation is enabled.

Account Mapper

Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultSPAccountMapper, the default implementation.

Artifact Message Encoding

This attribute defines the message encoding format for artifact, either URI or FORM.

Transient User

This attribute specifies the identifier of the user to which all identity provider users will be mapped on the service provider side in cases of single sign-on using the transient name identifier.

URL

The Local Authentication URL specifies the URL of the local login page.

The Intermediate URL specifies a URL to which a user can be directed after authentication and before the original request's URL. An example might be a successful account creation page after the auto-creation of a user account.

The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.

Default Relay State

After a successful SAML v2 operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.

When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc&param2=xyz, it must be URL-encoded as:

http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz

and then appended to the URL. For example, the service provider initiated single sign-on URL would be:

http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz

Adapter

Defines the implementation class for the com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter interface, used to add application-specific processing during the federation process.