Chapter 42
SAML Service Attributes
The Security Assertion Markup Language (SAML) Service attributes are global attributes. The values applied to them are carried across the Sun Java System Acceess Manager configuration and inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Access Manager application.)
For more information about the SAML Service architecture, see the Access Manager Developer’s Guide.
The SAML attributes are as follows:
Site ID And Site Issuer Name
This attribute contains a list of entries, with each entry containing an instance ID, site ID, and site issuer name. A default value will be assigned during installation. The format is as follows:
instanceid=serverprotocol://servername:portnumber|siteid=site_id|issuerName=si
te_issuer_name
After configuring for this attribute for SSL (in the both source and destination site), make sure that the instanceid protocol is HTTPS//.
Sign SAML Request
This attribute specifies whether all SAML requests will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.
Sign SAML Response
This attribute specifies whether all SAML responses will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.
All SAML responses used by the SAML Web Post profile will be digitally signed whether this option is enabled or not enabled.
Sign Assertion
This attribute specifies whether all SAML assertions will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.
SAML Artifact Name
This attribute assigns a variable name to a SAML artifact defined in the SAML Service configuration. A SAML artifact is bounded-size data, which identifies an assertion and a source site. It is carried as part of a URL query string and conveyed by a re-direction to the destination site. The default is SAMLart. For example using the default SAMLart service configuration, the redirect query string could be:
http:/host:port/deploy_URI/SamlAwareServlet?TARGET=http://URL/&SAMLart=artifact
123
Target Specifier
This attribute assigns a variable name to the destination site URL used in the re-direct. The default is Target.
Artifact Timeout
This attribute specifies the timeout for an assertion created for an artifact. The default is 400.
Assertion Skew Factor For notBefore Time
This attribute is used to calculate the notBefore time of an assertion. For example, if the IssueInstant is 2002-09024T21:39:49Z, and the Assertion Skew Factor notBefore Time value is set to 300 seconds (180 is the default value), the notBefore attribute of the conditions element for the assertion would be 2002-09-24T21:34:49Z.
Assertion Timeout
This attribute specifies the number of seconds before a timeout occurs on an assertion. The default is 420.
|
|
Note
|
The total valid duration of an assertion is defined by the values set in both the Assertion Skew Factor For notBefore Time and Assertion Timeout attributes.
|
|
Trusted Partner Sites
This attribute stores a partner's information so that one site can establish a trusted relationship to communicate with another partner site.
This attribute contains a list of entries, with each entry containing key/value pairs (separated by “|”). The source ID is required for each entry. For example:
SourceID=siteid|SOAPURL=https://servername:portnumber/amserver/SAMLSOAPRec
eiver|AuthType=SSL|hostlist=ipaddress (or, server DNS name, or cert alias)
The parameters are:
Table 42-1 Trusted Partner Sites Parameters
|
|
|
|
SourceID
|
The 20-byte sequence defined as in the SiteID and Issuer name.
|
|
target
|
This parameter is defined in a specific domain, with or without a port number. If you wish to contact a web page hosted in that specific domain, target specifies the redirect to a URL defined by the SAMLUrl or POSTUrl parameters for further processing.
If there are two entries (one containing a port number and one not containing a port number) that have the same domain specified in the Trusted Partner Sites attribute, the entry with the port number has a higher priority.
For example, if you have the following two trusted partner sites definitions:
target=sun.com|SAMLUrl=http://machine1.sun.com:8080/amserver/SAMLAwareServlet
and
target=sun.com:8080|SAMLUrl=httyp://machine2.sun.com:80/amserver/SAMLAwareServlet
and are seeking a the following page:
http://somemachine.sun.com:8080/index.html
the second definition will be chosen as the SAML service provider because the matching domain and port coexist in the target parameter.
|
|
SAMLUrl
|
Defines the URL that provides the SAML service. The servlet specified in the URL implements the Web-browser SSO with Artifact profile defined in the OASIS-SAML Bindings and Profiles specification.
|
|
POSTUrl
|
Defines the URL that provides the SAML service. The servlet specified in this URL implements the Web-browser SSO with POST profile defined in the OASIS-SAML Binding and Profiles specification.
|
|
issuer
|
Defines the creator of an assertion generated within Access Manager. The syntax is hostname:port.
|
|
SOAPUrl
|
Specifies the SOAP Receiver service URL.
|
|
AuthType
|
Defines the authentication type used in SAML. It should be one of the following:
- NOAUTH
- BASICAUTH
- SSL
- SSLWITHBASICAUTH
This parameter is optional, and if not specified, the default is NOAUTH.
If BASICAUTH or SSLWITHBASICAUTH is specified, the User parameter is require and the SOAPUrl should be HTTPS.
|
|
User
|
Defines the uid of the partner which is used to protect the partner’s SOAP Receiver.
|
|
version
|
Defines the SAML version used to send SAML request. Specify either 1.0 or 1.1 for the SAML version. If this parameter is not defined, the following default values are used from AMConfig.properties:
com.example.identity.saml.asertion.version=1.1
com.example.identity.saml.protocol.version=1.1
|
|
hostlist
|
This attribute lists the IP addresses and/or the certAlias for all of the hosts, within the specified partner site, that can send requests to this site. This ensures that the requester is indeed the intended receiver for the SAML artifact.
If the requester’s host or client certificate is in this list in the receiver’s site, the service will continue. If the host or client certificate does not match any of those hosts or certificates in the hostlist, the SAML service will reject the request.
|
|
AccountMapper
|
Specifies a pluggable class which defines how the subject of an Assertion is related to an identity at the destination site. By default, it is:
com.sun.identity.saml.plugins.DefaultAccountMa
pper
|
|
PartnerAccountMapper
|
The class PartnerAccountMapper is an interface that is implemented to map partner account to user account in Sun Java System Access Manager.
|
|
attributeMapper
|
Specifies the class with the path to where the attributeMapper is located. Applications can develop an attributeMapper to obtain either an SSOToken ID or an assertion containing AuthenticationStatement from the query. The mapper is then used to retrieve the attributes for the subject. If no attributeMapper is specified, DefaultAttributeMapper will be used.
|
|
actionMapper
|
Specifies the class with the path to where the actionMapper is located. Applications can develop an actionMapper to obtain either an SSOToken ID or an assertion containing AuthenticationStatement from the query. The mapper is then used to retrieve the authorization decisions for the actions defined in the query. If no actionMapper is specified, DefaultActionMapper will be used.
|
|
siteAttributeMapper
|
Specifies the class with the path where the siteAttributeMapper is located. Applications can develop a siteAttributeMapper to obtain attributes to be included in the assertion during SSO. If no siteAttributeMapper is found, then no attributes will be included in the assertion during SSO.
|
|
PartnerSiteAttributeMapper
|
This interface needs to be implemented by a partner site to return a list of Attribute objects which is requested to be returned as AttributeStatements elements, as part of the Authentication Assertion returned to the partner during the SSO scenario of Browser Artifact and POST profile.
|
|
certAlias=aliasName
|
Specifies a certAlias name used for verifying the signature in an assertion, when the assertion is signed by a partner and the certificate of the partner can not be found in the KeyInfo portion of the signed assertion.
|
The following table lists an example configuration for trusted partner sites. Not all of the parameters are necessary for all use cases, so the optional parameters are contained in brackets.
|
|
Sender
|
Receiver
|
|
|
|
|
|
artifact
|
sourceid
|
sourceid
|
|
|
target
|
SOAPUrl
|
|
|
SAMLUrl
|
[accountMapper]
|
|
|
hostlist
|
[AuthType]
|
|
|
[siteAttributeMapper]
|
[User]
|
|
|
|
[certAlias]
|
|
|
|
|
|
POST profile
|
sourceid
|
sourceid
|
|
|
target
|
issuer
|
|
|
POSTUrl
|
[accountMapper]
|
|
|
[siteAttributeMapper]
|
[certAlias]
|
|
|
|
|
|
SOAP Request
|
|
sourceid
|
|
|
|
hostlist
|
|
|
|
[attributeMapper]
|
|
|
|
[actionMapper]
|
|
|
|
[certAlias]
|
|
|
|
[issuer]
|
|
|
|
|
POST To Target URLs
If the target URL received through SSO (either artifact profile or POST profile) by the site is listed in this attribute, the assertion or assertions that are received from SSO will be sent to the target URL by an http: FORM POST. Avoid using test URLS or any other additional URLs in a POST.
