| |
Servers: Configuration: Federation Services: SAML 2.0 Service Provider
Configuration Options Related Tasks Related Topics
This page configures the SAML 2.0 per server service provider properties
If you are configuring SAML 2.0 Service Provider services for web single sign-on, after you complete the configuration settings on this page, return to the SAML 2.0 General page and click Publish Meta Data.
Configuration Options
Name Description Enabled Specifies whether the local site is enabled for the Service Provider role.
This attribute must be enabled in order to publish the metadata file.
MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderEnabledAlways Sign Authentication Requests Specifies whether authentication requests must be signed. If set, all outgoing authentication requests are signed.
MBean Attribute:
SingleSignOnServicesMBean.SignAuthnRequestsForce Authentication Specifies whether the Identity Provider must authenticate users directly and not use a previous security context. The default is
false.Note the following:
Setting
ForceAuthntotrue-- that is, enabling Force Authentication -- has no effect in WebLogic Server. SAML logout is not supported in WebLogic Server, so even if the user is already authenticated at the Identity Provider site andForceAuthnis set totrue, the user is not forced to authenticate again at the Identity Provider site.Setting both
ForceAuthnandIsPassivetotrue-- that is, Force Authentication and Passive are enabled -- is an invalid configuration that causes WebLogic server to generate an exception and also causes the single sign-on session to fail.MBean Attribute:
SingleSignOnServicesMBean.ForceAuthnPassive Determines whether the Identity Provider and the user must not take control of the user interface from the requester and interact with the user in a noticeable fashion. The default setting is
false.The WebLogic Server SAML 2.0 services generate an exception if Passive (
IsPassive) is enabled and the end user is not already authenticated at the Identity Provider site. In this situation, web single sign-on fails.MBean Attribute:
SingleSignOnServicesMBean.PassiveOnly Accept Signed Assertions Specifies whether incoming SAML 2.0 assertions must be signed.
MBean Attribute:
SingleSignOnServicesMBean.WantAssertionsSignedAuthentication Request Cache Size The maximum size of the authentication request cache.
This cache stores documents issued by the local Service Provider that are awaiting response from a partner Identity Provider.
Specify '0' to indicate that the cache is unbounded.
MBean Attribute:
SingleSignOnServicesMBean.AuthnRequestMaxCacheSizeAuthentication Request Cache Timeout The maximum timeout (in seconds) of <AuthnRequest> documents stored in the local cache.
This cache stores documents issued by the local Service provider that are awaiting response from a partner Identity Provider. Documents that reach this maximum timeout duration are expired from the local cache even if no response is received from the Identity Provider. If a response is subsequently returned by the Identity Provider, the cache behaves as if the <AuthnRequest> had never been generated.
MBean Attribute:
SingleSignOnServicesMBean.AuthnRequestTimeoutPOST One Use Check Enabled Specifies whether the POST one-use check is enabled.
If set, the local site POST binding endpoints will store identifiers of all inbound documents to ensure that those documents are not presented more than once.
MBean Attribute:
SingleSignOnServicesMBean.POSTOneUseCheckEnabledPOST Binding Enabled Specifies whether the POST binding is enabled for the Service Provider.
MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderPOSTBindingEnabledArtifact Binding Enabled Specifies whether the Artifact binding is enabled for the Service Provider.
MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderArtifactBindingEnabledPreferred Binding Specifies the preferred binding type for endpoints of Service Provider services. Must be set to "None", "POST", or "Artifact".
MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderPreferredBindingDefault URL The Service Provider's default URL.
When an unsolicited SSO response arrives at the Service Provider without an accompanying target URL, the user (if authenticated) is redirected to this default URL.
MBean Attribute:
SingleSignOnServicesMBean.DefaultURL
|
