Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Identity Provider Extended Metadata Properties

The identity provider extended metadata properties are defined in the following table.

hosted

Specifies whether the entity is hosted on, or remote to, the server to which this metadata is being applied. A value of 0 or flase specifies that the entity is hosted. A value of 1 or true specifies that the entity is hosted.

entityID

Specifies the EntityID of the provider you are configuring. The value of EntityID for your local provider is the unique uniform resource identifier (URI) you decide to use to identity yourself to other providers. You will get a remote provider's EntityID from the metadata they give to you.


Note –

This EntityID is different from the entities configured using the console in Access Manager and Federation Manager. It is specific to SAML v2 interactions.


metaAlias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name (dependent on whether the SAML v2 Plug-in for Federation Services is installed in Access Manager or Federation Manager) coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.


Caution – Caution –

The names used in the metaAlias must not contain a /.


signingCertAlias

Specifies the provider certificate alias used to find the correct signing certificate in the keystore. 

encryptionCertAlias

Specifies the provider certificate alias used to find the correct encryption certificate in the keystore. 

basicAuthOn

Basic authentication can be turned on to protect SOAP endpoints. This property takes a value of true or false. Any provider accessing these endpoints must have the user and password defined in the following two properties: basicAuthUser and basicAuthPassword.

basicAuthUser

The user associated with the basic authentication. 

basicAuthPassword

The password associated with the basic authentication. 

autofedEnabled

Enables auto-federation which automatically federates a user's disparate provider accounts based on a common attribute. This property takes a value of true or false.

autofedAttribute

Specifies the attribute used to match a user's disparate provider accounts when auto-federation is enabled. 

assertionEffectiveTime

Specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.

idpAuthncontextMapper

Specifies the name of the implementation class for the IDPAuthnContextMapper interface. This class sets the authentication context in the assertion. The default value is com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper, the default implementation.

idpAuthncontextClassrefMapping

Sets the mappings between the requested authentication context class and the actual authentication mechanism. The value of this attribute is in the format of: 

authnContextClassRef | authnType=authnValue | authnType=authnValue | ...

where authnContextClassRef is the authentication context class reference, authnType is the module, level, or service, and authnValue is the module name, authentication level, or service name.

idpAccountMapper

Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultIDPAccountMapper, the default implementation.

idpAttributeMapper

Specifies the implementation of the AttributeMapper interface used to map a remote user account attribute to a local user account attribute for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper, the default implementation

attributeMap

Specifies the mapping of attributes between providers. The value of this attribute is in the format: 

SAML v2-attribute=user-attribute

where SAML v2-attribute is the attribute name that goes over the wire and user-attribute is the attribute name it will map to once it arrives.


Note –

If auto-federation is enabled, the value of SAML v2-attribute is equal to the value of autofedAttribute.


wantNameIDEncrypted

Takes a value of true or false. If true, the service provider must encrypt all NameID elements.

wantArtifactResolveSigned

Takes a value of true or false. If true, the service provider must sign the ArtifactResolve element.

wantLogoutRequestSigned

Takes a value of true or false. If true, the identity provider must sign the LogoutRequest element.

wantLogoutResponseSigned

Takes a value of true or false. If true, the identity provider must sign the LogoutResponse element.

wantMNIRequestSigned

Takes a value of true or false. If true, the identity provider must sign the ManageNameIDRequest element.

wantMNIResponseSigned

Takes a value of true or false. If true, the identity provider must sign the ManageNameIDResponse element.

cotlist

Specifies the name of the circle(s) of trust to which this provider belongs. As one provider may be in a number of circles, this attribute might have multiple values.