Select any checkbox to enable signing for the following SAMLv2 service prover requests or responses:
Authentication Requests Signed |
All authentication requests received by this service provider must be signed. |
Assertions Signed |
All assertions received by this service provider must be signed. |
POST Response Signed |
The identity provider must sign the single sign-on Response element when POST binding is used |
Artifact Response |
The identity provider must sign the ArtifactResponse element. |
Logout Request |
The identity provider must sign the LogoutRequest element. |
Logout Response |
The identity provider must sign the LogoutResponse element. |
Manage Name ID Request |
The identity provider must sign the ManageNameIDRequst element. |
Manage Name ID Response |
The identity provider must sign the ManageNameIDResponse element. |
Select any checkbox to enable encryption for the following elements:
Attribute |
The identity provider must encrypt all AttributeStatement elements. |
Assertion |
The identity provider must encrypt all Assertion elements. |
NameID |
The identity provider must encrypt all NameID elements. |
This attribute defines the certificate alias elements for the service provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider .
Specifies the implementation of the SPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultSPAuthnContexteMapper.
Select the check box next to the authentication context class if the identity provider supports it.
The SAMLv2-defined authentication context classes are:
InternetProtocol
InternetProtocolPassword
Kerberos
MobileOneFactorUnregistered
MobileTwoFactorUnregistered
MobileOneFactorContract
MobileTwoFactorContract
Password
Password-ProtectedTransport
Previous-Session
X509
PGP
SPKI
XMLDSig
Smartcard
Smartcard-PKI
Software-PKI
Telephony
NomadTelephony
PersonalTelephony
AuthenticaionTelephony
SecureRemotePassword
TLSClient
Time-Sync-Token
Unspecified
Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.
In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.
Specifies what the resulting authentication context must be when compared to the value of this property. Accepted values include:
exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.
minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.
maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.
better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.
The default value is exact.
Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.
Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.