WS-Federation Entity Provider Attributes
The WS-Federation entity provider type is based on the WS-Federation protocol. The implementation of this protocol allows single sign-on between OpenSSO Enterprise and the Microsoft Active Directory Federation Service. The WS-Federation provider entity allows you to assign and configure the following roles:
-
Identity Provider
-
Service Provider
WS-Federation General Attributes
The following attributes are common to both Identity and Service Provider types:
SP Display Name
This attribute defines the name the WS-Federation service provider. The default is the meta alias given at creation time.
IDP Display Name
This attribute defines the name the WS-Federation identity provider. The default is the meta alias given at creation time.
Realm
Displays the realm to which the provider belongs.
Token Issuer Name
Defines a unique identifier for the identity or service provider.
Token Issuer Endpoint
Specifies the URL at which the identity or service provider is providing WS-Federation services. For example:
https://demo.example.com/OpenSSO Enterprise/WSFederationServlet/metaAlias/example
WS-Federation Identity Provider Customization
The following attributes apply to the WS-Federation Identity Provider role:
NameID Format
Defines the format of the name identifier component of the single sign-on response sent from the identity provider to the service provider. WS-Federation single sign-on supports the following identifier formats (default is UPN):
-
Email
-
Common Name
-
UPN – User Principal Name. The syntax is username@domain, where an example of domainis example.com.
NameID Attribute
Defines the attribute in the user's profile that will be used as the name ID value. The default is uid.
Name Includes Domain
When using the UPN format defined in the NameID Format attribute, this specifies whether the NameID Attribute in the user's profile includes a domain. If it does, then the NameID Attribute will be used for the UPN as it is currently defined. Otherwise, it is combined with a domain to form a UPN.
Domain Attribute
When using the UPN format, if the Name Includes Domain attribute is not selected, this specifies an attribute in the user's profile to be used as the UPN domain.
UPN Domain
When using UPN format, if the Name Includes Domain attribute is not selected, and if a value for Domain Attribute is not specified, or if there is no value for that attribute for a particular user, then this attribute is used to constructing the UPN.
Signing Cert Alias
This attribute specifies the provider certificate alias used to find the assertion signing certificate in the keystore.
Claim Types
Specifies the claim type so the WS-Federation service can recognize the type of token that is exchanged between federation partners.
The EmailAddress claim type is used to identify a specific security principal by an email address.
The UPN claim type is used to identify a specific security principal via a User Principal Name.
The CommonName claim type is used to identify a security principal via a CN value consistent with X.500 naming conventions. The value of this claim is not necessarily unique and should not be used for authorization purposes.
Account Mapper
This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.DefaultIDPAccountMapper.
Attribute Mapper
This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultIDPAttributeMapper.
Attribute Map
Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:
SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
Assertion Effective Time
Assertions are valid for a period of time and not before or after.
Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.
WS-Federation Service Provider Customization
The following attributes apply to the WS-Federation service provider role:
Assertion Signed
All assertions received by this service provider must be signed.
Account Mapper
This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.
DefaultADFSPartnerAccountMapper is the default implementation.
Attribute Mapper
This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultSPAttributeMapper.
Attribute Map
Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:
SAML_attr=local-attribute
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
Assertion Effective Time
Assertions are valid for a period of time and not before or after.
Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.
Assertion Skew Time
Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.
Default Relay State
After a successful WS-Federation operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.
Caution – When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc¶m2=xyz, it must be URL-encoded as:
http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
and then appended to the URL. For example, the service provider initiated single sign-on URL would be:
http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
Home Realm Discovery
Specifies the service so that the service provider can identify the preferred identity provider. The service URL is specified as a contact endpoint by the service provider.
Account Realm Selection
Specifies the identity provider selection mechanism and configuration. Either the cookie or HTTP Request header attribute can be used to locate the identity provider.
- © 2010, Oracle Corporation and/or its affiliates