Chapter 30       SAML Attributes


The Security Assertion Markup Language (SAML) Attributes are global attributes. The values applied to them are carried across the Sun ONE Identity Server configuration and inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application.)

For more information about the SAML Service architecture, see the Sun One Identity Server Programmer's Guide.

The SAML attributes are as follows:

• Site ID And Site Issuer Name

• Sign Request

• Sign Response

• Sign Assertion

• Artifact Name

• Target Specifier

• Artifact Timeout (seconds)

• Assertion Skew Factor For notBefore Time

• Assertion Timeout (seconds)

• Trusted Partner Sites

• POST To Target URLs

Site ID And Site Issuer Name

This attribute contains a list of entries, with each entry containing an instance ID, site ID, and site issuer name. The default value will be assigned during installation. The format is as follows:

instanceid=serverprotocol://servername:portnumber|siteid=<site_id>| issuerName=<site_issuer_name>

Sign Request

This attribute specifies whether all SAML requests will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.

Sign Response

This attribute specifies whether all SAML responses will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.

All SAML responses used by the SAML Web Post profile will be digitally signed whether this option is enabled or not enabled.

Sign Assertion

This attribute specifies whether all SAML assertions will be digitally signed (XML DSIG) before being delivered. Clicking on this option will enable this feature.

Artifact Name

This attribute assigns a variable name to a SAML artifact defined in the SAML Service configuration. A SAML artifact is bounded-size data, which identifies an assertion and a source site. It is carried as part of a URL query string and conveyed by a re-direction to the destination site. The default is SAMLart.

Target Specifier

This attribute assigns a variable name to the destination site URL used in the re-direct. The default is Target.

Artifact Timeout (seconds)

This attribute specifies the timeout for an assertion created for an artifact. The default is 120.

Assertion Skew Factor For notBefore Time

This attribute is used to calculate the notBefore time of an assertion. For example, if the IssueInstant is 2002-09024T21:39:49Z, and the Assertion Skew Factor notBefore Time value is set to 300 seconds (which is the default value), the notBefore attribute of the conditions element for the assertion would be 2002-09-24T21:34:49Z.

Assertion Timeout (seconds)

This attribute specifies the number of seconds before a timeout occurs on an assertion. The default is 60.

Trusted Partner Sites

This attribute stores a partner's information so that one site can establish a trusted relationship to communicate with another partner site.

This attribute contains a list of entries, with each entry containing key/value pairs (separated by "|"). The source ID is required for each entry. For example:

SourceID=siteid|SOAPURL=https://servername:portnumber/amserver/SAML SOAPReceiver|AuthType=SSL|hostlist=ipaddress

The parameters are:

SourceID	The 20-byte sequence defined as part of the SiteId.
target	This parameter is defined in a specific domain, with or without a port number. If you wish to contact a web page hosted in that specific domain, target specifies the redirect to a URL defined by the SAMLUrl or POSTUrl parameters for further processing. If there are two entries (one containing a port number and one not containing a port number) that have the same domain specified in the Trusted Partner Sites attribute, the entry with the port number has a higher priority. For example, if you have the following two trusted partner sites definitions: target=sun.com|SAMLUrl=http://machine1.sun.com:8080/amserver/SAMLAwareServlet and target=sun.com:8080|SAMLUrl=httyp://machine2.sun.com:80/amserver/SAMLAwareServlet and are seeking a the following page: http://somemachine.sun.com:8080/index.html the second definition will be chosen as the SAML service provider because the matching domain and port coexist in the target parameter.
SAMLUrl	Defines the URL that provides the SAML service. The servlet specified in the URL implements the Web-browser SSO with Artifact profile defined in the OASIS-SAML Bindings and Profiles specification.
POSTUrl	Defines the URL that provides the SAML service. The servlet specified in this URL implements the Web-browser SSO with POST profile defined in the OASIS-SAML Binding and Profiles specification.
issuer	Defines the creator of an assertion generated within Identity Server. The syntax is hostname:port.
SOAPUrl	Specifies the SOAP Receiver service.
AuthType	Defines the authentication type used in SAML. It should be one of the following: NOAUTH BASICAUTH SSL SSLWITHBASICAUTH This parameter is optional, and if not specified, the default is NOAUTH. If BASICAUTH or SSLWITHBASICAUTH is specified, the User parameter is required.
User	Defines the uid of the partner which is used to protect the partner's SOAP Receiver.
hostlist	This attribute lists the IP addresses and/or the certAlias for all of the hosts, within the specified partner site, that can send requests to this site. This ensures that the requester is indeed the intended receiver for the SAML artifact.
AccountMapper	Specifies a pluggable class which defines how the subject of an Assertion is related to an identity at the destination site. By default, it is: com.sun.identity.saml.plugins.DefaultAccou ntMapper
attributeMapper	Specifies the class with the path to where the attributeMapper is located. Applications can develop an attributeMapper to obtain either an SSOToken ID or an assertion containing AuthenticationStatement from the query. The mapper is then used to retrieve the attributes for the subject. If no attributeMapper is specified, DefaultAttributeMapper will be used.
actionMapper	Specifies the class with the path to where the actionMapper is located. Applications can develop an actionMapper to obtain either an SSOToken ID or an assertion containing AuthenticationStatement from the query. The mapper is then used to retrieve the authorization decisions for the actions defined in the query. If no actionMapper is specified, DefaultActionMapper will be used.
siteAttributeMapper	Specifies the class with the path where the siteAttributeMapper is located. Applications can develop a siteAttributeMapper to obtain attributes to be included in the assertion during SSO. If no siteAttributeMapper is found, then no attributes will be included in the assertion during SSO.
certAlias=<aliasName>	Specifies a certAlias name used for verifying the signature in an assertion, when the assertion is signed by a partner and the certificate of the partner can not be found in the KeyInfo portion of the signed assertion.

The following table lists an example configuration for trusted partner sites. Not all of the parameters are necessary for all use cases, so the optional parameters are contained in brackets.

	Sender	Receiver
artifact	sourceid	sourceid
	target	SOAPUrl
	SAMLUrl	[accountMapper]
	hostlist	[AuthType]
	[siteAttributeMapper]	[User]
		[certAlias]
POST profile	sourceid	sourceid
	target	issuer
	POSTUrl	[accountMapper]
	[siteAttributeMapper]	[certAlias]
SOAP Request		sourceid
		hostlist
		[attributeMapper]
		[actionMapper]
		[certAlias]
		[issuer]

POST To Target URLs

If the target URL received through SSO (either artifact profile or POST profile) by the site is listed in this attribute, the assertion or assertions that are received from SSO will be sent to the target URL by an http: FORM POST.