SAML Service Attributes

The following sections describe the attributes for the SAML service. The attributes are:

• Target Specifier

• Site Identifiers

• Trusted Partners

• Target URLs

• Assertion Timeout

• Assertion Skew Factor for notBefore Time

• Artifact Timeout

• SAML Artifact Name

• Sign SAML Assertion

• Sign SAML Request

• Sign SAML Response

Target Specifier

This attribute assigns a name to the destination site URL used in SAML redirects. The default is TARGET. Only sites configured in the Trusted Partners attribute can be specified as a TARGET.

Site Identifiers

This attribute defines any site hosted by the server on which Federation Manager is installed. A default value and an automatically generated Site ID are defined for the host itself during installation (with values retrieved from AMConfig.properties). Multiple entries are possible. For example, load balancing or multiple instances of Federation Manager sharing the same Directory Server would all need to be defined. To configure a new Site Identifier, click New and see To Configure a Site Identifier.

To Configure a Site Identifier

This attribute defines any site hosted by the server on which Federation Manager is installed. A default value and an automatically generated Site ID are defined for the host during installation (with values retrieved from AMConfig.properties). Multiple entries are possible. For example, load balancing or multiple instances of Federation Manager sharing the same Directory Server would all need to be defined. The starting point is the Site Identifiers attribute on the SAML screen under Federation.

1. In the Federation Manager Console, click the SAML tab.

2. Under Site Identifiers, click New to add a new site identifier or click on the name of a configured site identifier to modify its profile.

   The Site Identifier attributes are displayed.

3. Provide values for the Site Identifier attributes based on the following information:

   Name

   The value of this property is protocol://host:port.

   If configuring SAML for SSL (in both the source and destination site), ensure that the protocol defined here is https//.

   Site ID

   The site ID is an identifier generated for each site (although the value will be the same for multiple servers behind a load balancer). There is a class in the com.sun.identity.saml.common package that can be used to generate this identifier manually, if needed. Type the following at the command line:

   % java -classpath FederationManager-base/SUNWam/fm/web-src/WEB-INF/lib/am_services.jar com.sun.identity.saml.common.SAMLSiteID protocol://host:port

   Issuer Name

   The default value of this property is host:port, but it could be a URI.

4. Click OK to complete the Site Identifier configuration.

5. Click Save on the SAML Profile page to complete the SAML configuration.

Trusted Partners

This attribute defines any trusted partner (remote to the server on which Federation Manager is installed) that will be communicating with Federation Manager.

---

Note –

The trusted partner site must have a prearranged trust relationship with one or more of the sites configured in the Site Identifiers attribute.

---

To configure a new Trusted Partner, click New and see Trusted Partners: Selecting Partner Type and Profile.

Trusted Partners: Selecting Partner Type and Profile

This attribute defines any trusted partner (remote to the server on which Federation Manager is installed) that will be communicating with Federation Manager.

---

Note –

The trusted partner site must have a prearranged trust relationship with one or more of the sites configured in the Site Identifiers property.

---

The first step in configuring a trusted partner is to determine the partner's role in the trust relationship. A trusted partner can be a source site (one that generates a single sign-on assertion) or a destination site (one that consumes a single sign-on assertion). For example, if the partner is the source site, this attribute is configured based on how it will send assertions. If the partner is the destination site, this attribute is configured based on the profile in which it will be receiving assertions. Following is the first part of the procedure for configuring a trusted partner. The starting point is the SAML configuration screen of the Federation module.

---

Note –

To edit or duplicate the attributes of a trusted partner profile, click the appropriate button in the Actions column next to the configured trusted partner name.

---

1. In the Federation Manager Console, click the SAML tab.

2. Under Trusted Partners, click New.

   The Trusted Partner profile page is displayed.

   ---

   Note –

   Click Edit to change the role of the partner site if you are modifying an existing trusted partner.

   ---

3. Select the role (Destination or Source) of the partner site you are configuring by checking the appropriate profile(s) used to communicate with it.

   You may choose Web Browser Artifact Profile or Web Browser Post Profile for either Destination, Source or both, or SOAP Query for Destination only. The choices made dictate which of the attributes in the following steps need to be configured.

4. Click Next.

5. To complete the configuration, see Trusted Partners: Configuring Trusted Partner Attributes.

Trusted Partners: Configuring Trusted Partner Attributes

Following is the second part of the procedure for configuring a trusted partner. The starting point is Trusted Partners: Selecting Partner Type and Profile. Based on the role(s) selected in the first part, any of the sub-attributes listed in the following sections may need to be defined for the Trusted Partner.

---

Note –

If you reached this page by clicking Edit or Duplicate on the SAML configuration screen under Federation, modify the trusted partner profile based on the steps below and click Save to change the values. Click Save on the SAML Profile page to complete the modification.

---

1. Type in values for the Common Settings subattributes.

   Source ID

   This is a 20 byte sequence (encoded using the Base64 format) that comes from the partner site. It is generally the same value as that used for the Site ID attribute when configuring the Site Identifiers attribute.

   Target

   This is the domain of the partner site (with or without a port number). If you want to contact a web page that is hosted in this domain, the redirect URL is picked up from the values defined in .

   ---

   Note –

   If there are two defined entries for the same domain (one containing a port number and one without a port number), the entry with the port number takes precedence. For example, assume the following two trusted partner definitions: target=sun.com and target=sun.com:8080. If the principal is seeking http://machine.sun.com:8080/index.html, the second definition will be chosen.

   ---

   Site Attribute Mapper

   The class is used to return a list of attribute values defined as AttributeStatements elements in an Authentication Assertion. A site attribute mapper needs to be implemented from the com.sun.identity.saml.plugins.PartnerSiteAttributeMapper interface.

   If no class is defined, no attributes will be included in the assertion.

   Version

   The SAML version used (1.0 or 1.1) to send SAML requests. If this parameter has no value, the following default values (defined in AMConfig.properties) are used:

   • com.example.identity.saml.assertion.version=1.1

   • com.example.identity.saml.protocol.version=1.1

   Account Mapper

   The class that defines how the subject of an assertion is related to an identity at the destination site. An account mapper needs to be implemented from the com.sun.identity.saml.plugins.PartnerAccountMapper interface. If no class is specified, a default account mapper implementation will be used. This default implementation assumes that two sites have the same directory structure. For example, the root suffix, and user IDs are the same.

   Certificate

   A certificate alias that is used to verify the signature in an assertion when it is signed by the partner and the certificate cannot be found in the KeyInfo portion of the signed assertion.

   Host List

   A list of the IP addresses, the DNS host name, or the alias of the client authentication certificate used by the partner. This is configured for all hosts within the partner site that can send requests to this authority. This list helps to ensure that the requestor is indeed the intended receiver of the artifact. If the requester is defined in this list, the interaction will continue. If the requester’s information does not match any hosts defined in the host list, the request will be rejected.

   Issuer

   The creator of a generated assertion. The default syntax is hostname:port.

2. Type in values for the Destination subattributes.

   Artifact: SAML URL

   The URL that points to the servlet that implements the Web Browser Artifact Profile.

   Post: Post URL

   The URL that points to the servlet that implements the Web Browser POST Profile.

   SOAP Query: Attribute Mapper

   The class that is used to obtain single sign-on information from a query. You need to implement an attribute mapper from the included interface. If no class is specified, the DefaultAttributeMapper will be used.

   SOAP Query: Action Mapper

   The class that is used to get single sign-on information and map partner actions to authorization decisions. You need to implement an action mapper from the included interface. If no class is specified, the DefaultActionMapper will be used.

3. Type in values for the Source subattributes.

   Artifact: SOAP URL

   The URL to the SAML SOAP Receiver.

   Authentication Type

   Authentication types that can be used with SAML:

   • NOAUTH

   • BASICAUTH

   • SSL

   • SSLWITHBASICAUTH

   This attribute is optional. If not specified, the default is NOAUTH. If BASICAUTH or SSLWITHBASICAUTH is specified, the Trusted Partners attribute is required and should be HTTPS.

   User

   When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the user identifier of the partner being used to protect the partner’s SOAP receiver.

   User's Password

   When BASICAUTH is chosen as the Authentication Type, the value of this attribute defines the password for the user identifier of the partner being used to protect the partner’s SOAP receiver.

   User's Password (reenter)

   Reenter the password defined previously.

4. Click Finish.

5. Click Save on the SAML Profile page to complete the configuration.

Target URLs

If the TARGET URL received via either profile is listed as a value of this attribute, the received assertion(s) will be sent to the TARGET URL via an HTTP FORM POST.

---

Note –

To edit or duplicate the attributes of a trusted partner profile, click the appropriate button in the Actions column next to the configured trusted partner name.

---

To Configure a Target URL

If the TARGET URL received via either SAML profile is listed as a value of this attribute, the assertion(s) received will be sent to the TARGET URL via an HTTP FORM POST. The following subattributes can be defined (or modified) for each URL which will receive assertions via POST.

1. In the Federation Manager Console, click the SAML tab.

2. Under Target URLs, click New to add a new target URL or Edit to modify an existing one.

   The Add New Post to Target URL page is displayed.

3. Type values for the attributes.

   Protocol

   Choose either http or https.

   Server Name

   The name of the server on which the TARGET URL resides, such as www.sun.com.

   Port

   This attribute contains the port number such as 58080.

   Path

   This attribute contains the URI such as /amserver/console.

4. Click OK to complete the Target URL configuration.

5. Click Save on the SAML Profile page to complete the SAML configuration.

Assertion Timeout

This attribute specifies the number of seconds before a timeout occurs on an assertion. The default is 420.

Assertion Skew Factor for notBefore Time

This attribute is used to calculate the notBefore time of an assertion. For example, if IssueInstant is 2002-09024T21:39:49Z, and Assertion Skew Factor For notBefore Time is set to 300 seconds (180 is the default value), the notBefore attribute of the conditions element for the assertion would be 2002-09-24T21:34:49Z.

---

Note –

The total valid duration of an assertion is defined by the values set in both the Assertion Timeout and Assertion Skew Factor For notBefore Time attributes.

---

Artifact Timeout

This attribute specifies the period of time an assertion that is created for an artifact will be valid. The default is 400.

SAML Artifact Name

This attribute assigns a variable name to a SAML artifact. The artifact is bounded-size data that identifies an assertion and a source site. It is carried as part of a URL query string and conveyed by redirection to the destination site. The default name is SAMLart. Using the default SAMLart, the redirect query string could be http://host:port/deploy-URI/SamlAwareServlet?TARGET=target-URL/&SAMLart=artifact123.

Sign SAML Assertion

This attribute specifies whether all SAML assertions will be digitally signed (XML DSIG) before being delivered. Selecting the check box enables this feature.

Sign SAML Request

This attribute specifies whether all SAML requests will be digitally signed (XML DSIG) before being delivered. Selecting the check box enables this feature.

Sign SAML Response

This attribute specifies whether all SAML responses will be digitally signed (XML DSIG) before being delivered. Selecting the check box enables this feature.

---

Note –

All SAML responses used by the Web Browser POST Profile will be digitally signed whether this option is enabled or not enabled.

---