The SAMLv2 entity provider type is based on the OASIS Security Assertion Markup Language (SAML) version 2 specification. This entity supports various profiles (single sign-on, single logout, and so forth) when interacting with remote SAMLv2 entities. The SAMLv2 provider entity allows you to assign and configure the following roles:
SAMLv2 service providers contain the following attribute groups:
Select any checkbox to enable signing for the following SAMLv2 service prover requests or responses:
Authentication Requests Signed |
All authentication requests received by this service provider must be signed. |
Assertions Signed |
All assertions received by this service provider must be signed. |
POST Response Signed |
The identity provider must sign the single sign-on Response element when POST binding is used |
Artifact Response |
The identity provider must sign the ArtifactResponse element. |
Logout Request |
The identity provider must sign the LogoutRequest element. |
Logout Response |
The identity provider must sign the LogoutResponse element. |
Manage Name ID Request |
The identity provider must sign the ManageNameIDRequst element. |
Manage Name ID Response |
The identity provider must sign the ManageNameIDResponse element. |
Select any checkbox to enable encryption for the following elements:
Attribute |
The identity provider must encrypt all AttributeStatement elements. |
Assertion |
The identity provider must encrypt all Assertion elements. |
NameID |
The identity provider must encrypt all NameID elements. |
This attribute defines the certificate alias elements for the service provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider .
Specifies the implementation of the SPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultSPAuthnContexteMapper.
Select the check box next to the authentication context class if the identity provider supports it.
The SAMLv2-defined authentication context classes are:
InternetProtocol
InternetProtocolPassword
Kerberos
MobileOneFactorUnregistered
MobileTwoFactorUnregistered
MobileOneFactorContract
MobileTwoFactorContract
Password
Password-ProtectedTransport
Previous-Session
X509
PGP
SPKI
XMLDSig
Smartcard
Smartcard-PKI
Software-PKI
Telephony
NomadTelephony
PersonalTelephony
AuthenticaionTelephony
SecureRemotePassword
TLSClient
Time-Sync-Token
Unspecified
Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.
In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.
Specifies what the resulting authentication context must be when compared to the value of this property. Accepted values include:
exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.
minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.
maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.
better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.
The default value is exact.
Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.
Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.
Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultSPAttributeMapper.
Mappings should be configured in the format:
SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
If enabled, Auto-federation automatically federates a user's different provider accounts based on a common attribute. The Attribute field specifies the attribute used to match a user's different provider accounts when auto-federation is enabled.
Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultSPAccountMapper, the default implementation.
This attribute defines the message encoding format for artifact, either URI or FORM.
This attribute specifies the identifier of the user to which all identity provider users will be mapped on the service provider side in cases of single sign-on using the transient name identifier.
The Local Authentication URL specifies the URL of the local login page.
The Intermediate URL specifies a URL to which a user can be directed after authentication and before the original request's URL. An example might be a successful account creation page after the auto-creation of a user account.
The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.
After a successful SAML v2 operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.
When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc¶m2=xyz, it must be URL-encoded as:
http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
and then appended to the URL. For example, the service provider initiated single sign-on URL would be:
http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
Defines the implementation class for the com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter interface, used to add application-specific processing during the federation process.
Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.
The names used in the metaAlias must not contain a /.
The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the service provider.
Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL the expected response provider. The binding types are:
HTTP Redirect
POST
SOAP
This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)
Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL the expected response provider. The binding types are:
HTTP Redirect
POST
SOAP
This service processes the responses that a service provider receives from an identity provider. When a service provider wants to authenticate a user, it sends an authentication request to an identity provider.
HTTP-Artifact specifies a non-browser SOAP-based protocol.
HTTP-Post specifies a browser-based HTTP POST protocol.
PAOS defines the URL location for PAOS binding.
Location specifies the URL of the provider to which the request is sent. Index specifies the URL in the standard metadata. Defaultis the default URL to be used for the binding.
Defines URL endpoint on Service Provider that can handle SAE (Secure Attribute Exchange) requests. If this URL is empty (not configured), SAE single sign-on will not be enabled. Normal SAMLv2 single sign-on responses will be sent to the service provider.
Defines the URL endpoint on a Service Provider that can handle SAE global logout requests.
This attribute defines the application security configuration. Each application must have one entry. Each entry has the following format:
url=SPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret
Defines the implementation class of the IDP list finder SPI. This returns a list of preferred identity providers that are trusted by the ECP.
Specifies a URI reference that can be used to retrieve the complete identity provider list if the IDPList element is not complete.
Defines a list of identity providers for the ECP to contact. This is used by the default implementation of the IDP Finder (for example, com.sun.identity.saml2.plugins.ECPIDPFinder) .
Proxy Authentication Configuration attributes define values for dynamic identity provider proxying. Select the check box to enable proxy authentication for a service provider.
Select the check box if you want introductions to be used to find the proxying identity provider.
Enter the maximum number of identity providers that can be used for proxy authentication.
Add a list of identity providers that can be used for proxy authentication. Type the URI defined as the provider's identifier in New Value and click Add.
SAMLv2 identity providers contain the following attribute groups:
Setting the following flags indicate to the identity provider how the service provider signs specific messages:
Authentication Request |
All authentication requests received by this identity provider must be signed. |
Artifact Resolve |
The service provider must sign the ArtifactResolve element. |
Logout Request |
The service provider must sign the LogoutRequest element. |
Logout Response |
The service provider must sign the LogoutResponse element. |
Manage Name ID Request |
The service provider must sign the ManageNameIDRequst element. |
Manage Name ID Response |
The service provider must sign the ManageNameIDResponse element. |
Select the checkbox to enable encryption for the following elements:
NameID |
The service provider must encrypt all NameID elements. |
This attribute defines the certificate alias elements for the identity provider. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store
This attribute specifies mapping between the NameID Format attribute and a user profile attribute. If the defined Name ID format is used in protocol, the profile attribute value will be used as NameID value for the format in the Subject. The syntax of each entry is:
NameID Format=User profile attribute
For example:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail
To add new NameID format, the NameID Value Map attribute needs to be updated with a corresponding entry. The exceptions are persistent, transient and unspecified. For persistent and transient, the NameID value will be generated randomly. For this attribute, unspecified is optional. If it is specified, the NameID value will be the value of the user profile attribute. If it is not specified, an random number will be generated.
This attribute maps the SAMLv2-defined authentication context classes to authentication methods available from the identity provider.
Specifies the implementation of the IDPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.
Specifies the default authentication context type used by the identity provider if the service provider does not send an authentication context request.
Select the check box next to the authentication context class if the identity provider supports it.
The SAMLv2-defined authentication context classes are:
InternetProtocol
InternetProtocolPassword
Kerberos
MobileOneFactorUnregistered
MobileTwoFactorUnregistered
MobileOneFactorContract
MobileTwoFactorContract
Password
Password-ProtectedTransport
Previous-Session
X509
PGP
SPKI
XMLDSig
Smartcard
Smartcard-PKI
Software-PKI
Telephony
NomadTelephony
PersonalTelephony
AuthenticaionTelephony
SecureRemotePassword
TLSClient
Time-Sync-Token
Unspecified
Choose the OpenSSO Enterprise authentication type to which the context is mapped.
Type the OpenSSO Enterprise authentication option.
Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.
In this framework, each identity provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.
Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the Not Before Time Skew value. The default value is 600. It has no relevance to the notAfter value.
Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.
Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.
If enabled, this allows the identity provider to cache assertions to be retrieved later.
Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.
Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.
Mappings should be configured in the format:
SAML-attribute=local-attribute
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultIDPAccountMapper, the default implementation.
These attribute contains configuration specific to the OpenSSO Enterprise instance.
Defines the Authentication URL to which the identity provider will redirect for authentication.
The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.
Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.
The names used in the metaAlias must not contain a /.
Defines the endpoint(s) that support the Artifact Resolution profile. Location specifies the URL of the provider to which the request is sent. Index specifies a unique integer value to the endpoint so that it can be referenced in a protocol message.
The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the identity provider.
Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. The binding types are:
HTTP Redirect
POST
SOAP
This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)
Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. . The binding types are:
HTTP Redirect
POST
SOAP
Defines the endpoint(s) that support the profiles of the Authentication Request protocol. All identity providers must support at least one such endpoint.
Location specifies the URL of the provider to which the request is sent. The binding types are:
HTTP Redirect
POST
SOAP
Defines the URL endpoint on Identity Provider that can handle SAE (Secure Attribute Exchange) requests.
Defines the application security configuration. Each application must one entry. Each entry has the following format:
url=IDPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret OR or pubkeyalias=idp app signing cert
Defines an implementation class for the session mapper SPI. The mapper finds a valid session from HTTP servlet request on the identity provider with an ECP profile.
XACML PDP contains the following attributes for customization:
Displays the XACML PDP release that is supported by this provider.
urn:liberty:iff:2003-08 refers to Liberty Identity Federation Framework Version 1.2.
urn:liberty:iff:2002-12 refers to Liberty Identity Federation Framework Version 1.1.
Defines the key alias that is used to sign requests and responses.
Defines the key alias to XACML encryption.
Basic authorization can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.
When enabled, this attribute enforces that all queries be signed for the XACML authorization decision.
This attribute defines the type (binding) of the authorization request, and the URL endpoint for receiving the request. By default, the binding type is SOAP.
XACML PEP contains the following attributes for customization:
Displays the XACML PEP release that is supported by this provider.
Defines the key alias that is used to sign requests and responses.
Defines the key alias to XACML encryption.
Basic authorization can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.
When enabled, this attribute enforces that all responses be signed for the XACML authorization decision.
When enabled, this attribute enforces that all assertions are to be encrypted.
SAMLv2 Attribute Authority contains the following attributes for customization:
The length for keys used by the Attribute Authority entity when interacting with another entity.
The encryption algorithm used to interact with another entity.
This attribute defines the URL endpoints that will receive attribute query requests. Location specifies the URL of the provider to which the request is sent. Mapper defines the SPI that finds the attribute mapping authority to return a list of attributes that will be included in a response. The SAMLv2–defined attribute query profiles are:
Basic
X509
Defines the URLs to which the AssertionIDs are sent from a client to an identity provider in order to retrieve the corresponding assertion. Location specifies the URL of the provider to which the request is sent. Mapper defines the SPI that finds the AssertionID mapping authority to return a list of attributes that will be included in a response. The bindings are:
SOAP
URI
Defines the type of SAMLv2–defined supported attribute profile. Basic is the default type.
Defines the certificate alias elements. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
Specifies the data store attribute name which contains the X509 subject DN. It is used to find a user whose attribute value matches the X. 509 subject DN. This field is used in the Attribute Query Profile for X. 509 subject only.
SAMLv2 Attribute Query contains the following attributes for customization:
Defines the name identifier formats supported by the attribute query provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support three types of identifiers:
An X509SubjectName defines the subject name of the X509 encryption type.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes.
A transient identifier is temporary and no data will be written to the user's persistent data store.
This attribute defines the certificate alias elements for the provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
SAMLv2 Authentication Authority contains the following attributes for customization:
The length for keys used by the Attribute Authority entity when interacting with another entity.
The encryption algorithm used to interact with another entity.
This attribute defines the URL to which authentication queries are sent.
Defines the URLs to which the AssertionIDs are sent from a client to an identity provider in order to retrieve the corresponding assertion. Location specifies the URL of the provider to which the request is sent. The AssertionID request types are:
SOAP
URI
This attribute defines the certificate alias elements for the provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.