Sun OpenSSO Enterprise 8.0 Administration Reference

SAMLv2 Identity Provider Customization

SAMLv2 identity providers contain the following attribute groups:

Assertion Content

Request/Response Signing

Setting the following flags indicate to the identity provider how the service provider signs specific messages:

Authentication Request 

All authentication requests received by this identity provider must be signed. 

Artifact Resolve 

The service provider must sign the ArtifactResolve element.

Logout Request 

The service provider must sign the LogoutRequest element.

Logout Response 

The service provider must sign the LogoutResponse element.

Manage Name ID Request  

The service provider must sign the ManageNameIDRequst element.

Manage Name ID Response 

The service provider must sign the ManageNameIDResponse element.


Select the checkbox to enable encryption for the following elements:


The service provider must encrypt all NameID elements.

Certificate Aliases

This attribute defines the certificate alias elements for the identity provider. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

Name ID Format

Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:

The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store

Name ID Value Map

This attribute specifies mapping between the NameID Format attribute and a user profile attribute. If the defined Name ID format is used in protocol, the profile attribute value will be used as NameID value for the format in the Subject. The syntax of each entry is:

NameID Format=User profile attribute

For example:


To add new NameID format, the NameID Value Map attribute needs to be updated with a corresponding entry. The exceptions are persistent, transient and unspecified. For persistent and transient, the NameID value will be generated randomly. For this attribute, unspecified is optional. If it is specified, the NameID value will be the value of the user profile attribute. If it is not specified, an random number will be generated.

Authentication Context

This attribute maps the SAMLv2-defined authentication context classes to authentication methods available from the identity provider.


Specifies the implementation of the IDPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.

Default Authentication Context

Specifies the default authentication context type used by the identity provider if the service provider does not send an authentication context request.


Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The SAMLv2-defined authentication context classes are:

  • InternetProtocol

  • InternetProtocolPassword

  • Kerberos

  • MobileOneFactorUnregistered

  • MobileTwoFactorUnregistered

  • MobileOneFactorContract

  • MobileTwoFactorContract

  • Password

  • Password-ProtectedTransport

  • Previous-Session

  • X509

  • PGP

  • SPKI

  • XMLDSig

  • Smartcard

  • Smartcard-PKI

  • Software-PKI

  • Telephony

  • NomadTelephony

  • PersonalTelephony

  • AuthenticaionTelephony

  • SecureRemotePassword

  • TLSClient

  • Time-Sync-Token

  • Unspecified


Choose the OpenSSO Enterprise authentication type to which the context is mapped.


Type the OpenSSO Enterprise authentication option.


Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.

In this framework, each identity provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.

Assertion Time

Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the Not Before Time Skew value. The default value is 600. It has no relevance to the notAfter value.

Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.

Basic Authentication

Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Assertion Cache

If enabled, this allows the identity provider to cache assertions to be retrieved later.


Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

Assertion Processing

Attribute Mapper

Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.

Mappings should be configured in the format:


For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Account Mapper

Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultIDPAccountMapper, the default implementation.

Local Configuration

These attribute contains configuration specific to the OpenSSO Enterprise instance.

Auth URL

Defines the Authentication URL to which the identity provider will redirect for authentication.

External Application Logout URL

The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.


Meta Alias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.

Caution – Caution –

The names used in the metaAlias must not contain a /.

Artifact Resolution Service

Defines the endpoint(s) that support the Artifact Resolution profile. Location specifies the URL of the provider to which the request is sent. Index specifies a unique integer value to the endpoint so that it can be referenced in a protocol message.

Single Logout Service

The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the identity provider.

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. The binding types are:

Manage Name ID Service

This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. . The binding types are:

Single Sign-On Service

Defines the endpoint(s) that support the profiles of the Authentication Request protocol. All identity providers must support at least one such endpoint.

Location specifies the URL of the provider to which the request is sent. The binding types are:



Defines the URL endpoint on Identity Provider that can handle SAE (Secure Attribute Exchange) requests.

App Secret List

Defines the application security configuration. Each application must one entry. Each entry has the following format:

url=IDPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret OR or pubkeyalias=idp app signing cert

IDP Mapper Session

Defines an implementation class for the session mapper SPI. The mapper finds a valid session from HTTP servlet request on the identity provider with an ECP profile.