Administration Console Online Help

Previous

Next

Open TOC in new window

SAML 2.0 Credential Mapping Provider: Provider Specific

Configuration Options Related Tasks Related Topics

Use this page to configure provider-specific information for this SAML 2.0 Credential Mapping provider.

Configuration Options

Name Description

Issuer URI
The Issuer URI, or name, of this SAML 2.0 Credential Mapping provider.

The value that you specify for Issuer URI should match the Entity ID specified in the SAML 2.0 General page that configures the per server SAML 2.0 properties.

For more information about this attribute, see the description of the getIssuerURI method on the following interface:

com.bea.security.saml2.providers.SAML2CredentialMapperMBean

Name Qualifier
The Name Qualifier value used by the Name Mapper.

The value of the Name Qualifier is the security or administrative domain that qualifies the name of the subject. This provides a means to federate names from disparate user stores while avoiding the possibility of subject name collision.

For more information about this attribute, see the description of the getNameQualifier method on the following interface:

com.bea.security.saml2.providers.SAML2CredentialMapperMBean

Default Time To Live
The time in seconds that, by default, an assertion should remain valid. The default value is 120 seconds (2 minutes).

If the value is zero, then assertions have an infinite lifetime. Using assertions with an infinite lifetime is not recommended, however.

For more information about this attribute, see the description of the getDefaultTimeToLive method on the following interface:

com.bea.security.saml2.providers.SAML2CredentialMapperMBean

Minimum value: 0

Default Time To Live Offset
The time factor you can use to allow the Credential Mapping provider to compensate for clock differences between the Identity Provider and Service Provider sites.

The value is a positive or negative integer representing seconds. Default value is -5.

Normally, an assertion is valid from the NotBefore time, which defaults to (roughly) the time the assertion was generated, until the NotOnOrAfter time, which is calculated as (NotBefore + TimeToLive). This value is a positive or negative integer indicating how many seconds before or after "now" to which the assertion's NotBefore should be set. If you set a value for DefaultTimeToLiveOffset, then the assertion lifetime is still calculated as (NotBefore + TimeToLive), but the NotBefore value is set to (now + TimeToLiveOffset). As a result, an assertion might have a two minute (120 second) lifetime that starts thirty seconds ago, or starts one minute from now.

For more information about this attribute, see the description of the getDefaultTimeToLiveOffset method on the following interface:

com.bea.security.saml2.providers.SAML2CredentialMapperMBean

Web Service Assertion Signing Key Alias
The alias used to retrieve from the keystore the key that is used to sign assertions.

This attribute is used for Web Services support of SAML Token Profile only.

For more information about this attribute, see the description of the setSigningKeyAlias method on the following interface:

com.bea.security.saml2.providers.SAML2CredentialMapperMBean

Web Service Assertion Signing Key Pass Phrase
The credential, or password, used to retrieve from the keystore the keys used to sign assertions.

This attribute is used for Web Services support of SAML Token Profile only.

For more information about this attribute, see the description of the setSigningKeyPassphrase method on the following interface:

com.bea.security.saml2.providers.SAML2CredentialMapperMBean

Name Mapper Class Name
The Java class that overrides the default SAML 2.0 credential mapper name mapper class, which maps Subjects to identity information contained in the assertion.

For more information about this attribute, see the description of the setNameMapperClassName method on the following interface:

com.bea.security.saml2.providers.SAML2CredentialMapperMBean

Generate Attributes
Specifies whether information, in addition to the username, will be generated in the SAML 2.0 assertion. For example, group information.

Note that the Service Provider partner needs to have a SAML Authentication provider configured to be able to extract and use the attribute information contained in the assertion.

For more information about this attribute, see the description of the setGenerateAttributes method on the following interface:

com.bea.security.saml2.providers.SAML2CredentialMapperMBean

Related Tasks

Configure Credential Mapping Providers

Manage security providers

Configure SAML 2.0 general services

Configure SAML 2.0 Identity Provider services

Related Topics

API description of the com.bea.security.saml2.providers.SAML2CredentialMapperMBean interface

Configuring Single Sign-On with Web Browsers and HTTP Clients

Using Security Assertion Markup Language (SAML) Tokens For Identity

Configuring a SAML 2.0 Credential Mapping Provider

Understanding Security for Oracle WebLogic Server