Assertion Content (Sun OpenSSO Enterprise 8.0 Administration Reference)

Sun OpenSSO Enterprise 8.0 Administration Reference

Assertion Content

Request/Response Signing

Select any checkbox to enable signing for the following SAMLv2 service prover requests or responses:

Authentication Requests Signed	All authentication requests received by this service provider must be signed.
Assertions Signed	All assertions received by this service provider must be signed.
POST Response Signed	The identity provider must sign the single sign-on Response element when POST binding is used
Artifact Response	The identity provider must sign the `ArtifactResponse` element.
Logout Request	The identity provider must sign the `LogoutRequest` element.
Logout Response	The identity provider must sign the `LogoutResponse` element.
Manage Name ID Request	The identity provider must sign the `ManageNameIDRequst` element.
Manage Name ID Response	The identity provider must sign the `ManageNameIDResponse` element.

Encryption

Select any checkbox to enable encryption for the following elements:

Attribute	The identity provider must encrypt all `AttributeStatement` elements.
Assertion	The identity provider must encrypt all `Assertion` elements.
NameID	The identity provider must encrypt all `NameID` elements.

Certificate Aliases

This attribute defines the certificate alias elements for the service provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

Name ID Format

Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity

The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store

Authentication Context

This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider .

Mapper

Specifies the implementation of the SPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultSPAuthnContexteMapper.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The SAMLv2-defined authentication context classes are:

InternetProtocol
InternetProtocolPassword
Kerberos
MobileOneFactorUnregistered
MobileTwoFactorUnregistered
MobileOneFactorContract
MobileTwoFactorContract
Password
Password-ProtectedTransport
Previous-Session
X509
PGP
SPKI
XMLDSig
Smartcard
Smartcard-PKI
Software-PKI
Telephony
NomadTelephony
PersonalTelephony
AuthenticaionTelephony
SecureRemotePassword
TLSClient
Time-Sync-Token
Unspecified

Level

Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.

In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.

Comparison Type

Specifies what the resulting authentication context must be when compared to the value of this property. Accepted values include:

exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.
minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.
maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.
better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.

The default value is exact.

Assertion Time Skew

Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.

Basic Authentication

Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.