|Previous Contents Index Next|
|Sun ONE Identity Server Administration Guide|
Chapter 30 SAML Attributes
The Security Assertion Markup Language (SAML) Attributes are global attributes. The values applied to them are carried across the Sun ONE Identity Server configuration and inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application.)
For more information about the SAML Service architecture, see the Sun One Identity Server Programmer's Guide.
The SAML attributes are as follows:
Site ID And Site Issuer Name
Site ID And Site Issuer Name
This attribute contains a list of entries, with each entry containing an instance ID, site ID, and site issuer name. The default value will be assigned during installation. The format is as follows:
This attribute specifies whether all SAML requests will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.
This attribute specifies whether all SAML responses will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.
All SAML responses used by the SAML Web Post profile will be digitally signed whether this option is enabled or not enabled.
This attribute specifies whether all SAML assertions will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.
This attribute assigns a variable name to a SAML artifact defined in the SAML Service configuration. A SAML artifact is bounded-size data, which identifies an assertion and a source site. It is carried as part of a URL query string and conveyed by a re-direction to the destination site. The default is SAMLart.
This attribute assigns a variable name to the destination site URL used in the re-direct. The default is Target.
Artifact Timeout (seconds)
This attribute specifies the timeout for an assertion created for an artifact. The default is 120.
Assertion Skew Factor For notBefore Time
This attribute is used to calculate the notBefore time of an assertion. For example, if the IssueInstant is 2002-09024T21:39:49Z, and the Assertion Skew Factor notBefore Time value is set to 300 seconds (which is the default value), the notBefore attribute of the conditions element for the assertion would be 2002-09-24T21:34:49Z.
Assertion Timeout (seconds)
This attribute specifies the number of seconds before a timeout occurs on an assertion. The default is 60.
Trusted Partner Sites
This attribute stores a partner's information so that one site can establish a trusted relationship to communicate with another partner site.
This attribute contains a list of entries, with each entry containing key/value pairs (separated by "|"). The source ID is required for each entry. For example:
The parameters are:
This parameter is defined in a specific domain, with or without a port number. If you wish to contact a web page hosted in that specific domain, target specifies the redirect to a URL defined by the SAMLUrl or POSTUrl parameters for further processing.
If there are two entries (one containing a port number and one not containing a port number) that have the same domain specified in the Trusted Partner Sites attribute, the entry with the port number has a higher priority.
This attribute lists the IP addresses and/or the certAlias for all of the hosts, within the specified partner site, that can send requests to this site. This ensures that the requester is indeed the intended receiver for the SAML artifact.
Specifies the class with the path to where the attributeMapper is located. Applications can develop an attributeMapper to obtain either an SSOToken ID or an assertion containing AuthenticationStatement from the query. The mapper is then used to retrieve the attributes for the subject. If no attributeMapper is specified, DefaultAttributeMapper will be used.
Specifies the class with the path to where the actionMapper is located. Applications can develop an actionMapper to obtain either an SSOToken ID or an assertion containing AuthenticationStatement from the query. The mapper is then used to retrieve the authorization decisions for the actions defined in the query. If no actionMapper is specified, DefaultActionMapper will be used.
Specifies the class with the path where the siteAttributeMapper is located. Applications can develop a siteAttributeMapper to obtain attributes to be included in the assertion during SSO. If no siteAttributeMapper is found, then no attributes will be included in the assertion during SSO.
Specifies a certAlias name used for verifying the signature in an assertion, when the assertion is signed by a partner and the certificate of the partner can not be found in the KeyInfo portion of the signed assertion.
The following table lists an example configuration for trusted partner sites. Not all of the parameters are necessary for all use cases, so the optional parameters are contained in brackets.
POST To Target URLs
If the target URL received through SSO (either artifact profile or POST profile) by the site is listed in this attribute, the assertion or assertions that are received from SSO will be sent to the target URL by an http: FORM POST.
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated December 04, 2002