Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Servers: Configuration: Federation Services: SAML 2.0 Service Provider

Configuration Options     Related Tasks     Related Topics

This page configures the SAML 2.0 per server service provider properties

If you are configuring SAML 2.0 Service Provider services for web single sign-on, after you complete the configuration settings on this page, return to the SAML 2.0 General page and click Publish Meta Data.

Configuration Options

Name Description
Enabled

Specifies whether the local site is enabled for the Service Provider role.

This attribute must be enabled in order to publish the metadata file.

MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderEnabled

Always Sign Authentication Requests

Specifies whether authentication requests must be signed. If set, all outgoing authentication requests are signed.

MBean Attribute:
SingleSignOnServicesMBean.SignAuthnRequests

Force Authentication

Specifies whether the Identity Provider must authenticate users directly and not use a previous security context. The default is false.

Note the following:

  1. Setting ForceAuthn to true -- that is, enabling Force Authentication -- has no effect in WebLogic Server. SAML logout is not supported in WebLogic Server, so even if the user is already authenticated at the Identity Provider site and ForceAuthn is set to true, the user is not forced to authenticate again at the Identity Provider site.

  2. Setting both ForceAuthn and IsPassive to true -- that is, Force Authentication and Passive are enabled -- is an invalid configuration that causes WebLogic server to generate an exception and also causes the single sign-on session to fail.

MBean Attribute:
SingleSignOnServicesMBean.ForceAuthn

Passive

Determines whether the Identity Provider and the user must not take control of the user interface from the requester and interact with the user in a noticeable fashion. The default setting is false.

The WebLogic Server SAML 2.0 services generate an exception if Passive (IsPassive) is enabled and the end user is not already authenticated at the Identity Provider site. In this situation, web single sign-on fails.

MBean Attribute:
SingleSignOnServicesMBean.Passive

Only Accept Signed Assertions

Specifies whether incoming SAML 2.0 assertions must be signed.

MBean Attribute:
SingleSignOnServicesMBean.WantAssertionsSigned

Authentication Request Cache Size

The maximum size of the authentication request cache.

This cache stores documents issued by the local Service Provider that are awaiting response from a partner Identity Provider.

Specify '0' to indicate that the cache is unbounded.

MBean Attribute:
SingleSignOnServicesMBean.AuthnRequestMaxCacheSize

Authentication Request Cache Timeout

The maximum timeout (in seconds) of <AuthnRequest> documents stored in the local cache.

This cache stores documents issued by the local Service provider that are awaiting response from a partner Identity Provider. Documents that reach this maximum timeout duration are expired from the local cache even if no response is received from the Identity Provider. If a response is subsequently returned by the Identity Provider, the cache behaves as if the <AuthnRequest> had never been generated.

MBean Attribute:
SingleSignOnServicesMBean.AuthnRequestTimeout

POST One Use Check Enabled

Specifies whether the POST one-use check is enabled.

If set, the local site POST binding endpoints will store identifiers of all inbound documents to ensure that those documents are not presented more than once.

MBean Attribute:
SingleSignOnServicesMBean.POSTOneUseCheckEnabled

POST Binding Enabled

Specifies whether the POST binding is enabled for the Service Provider.

MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderPOSTBindingEnabled

Artifact Binding Enabled

Specifies whether the Artifact binding is enabled for the Service Provider.

MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderArtifactBindingEnabled

Preferred Binding

Specifies the preferred binding type for endpoints of Service Provider services. Must be set to "None", "POST", or "Artifact".

MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderPreferredBinding

Default URL

The Service Provider's default URL.

When an unsolicited SSO response arrives at the Service Provider without an accompanying target URL, the user (if authenticated) is redirected to this default URL.

MBean Attribute:
SingleSignOnServicesMBean.DefaultURL

Related Tasks

Related Topics


Back to Top