| |
Servers: Configuration: Federation Services: SAML 2.0 General
Configuration Options Related Tasks Related Topics
This page configures the general SAML 2.0 per server properties
If you are configuring SAML 2.0 services for web single sign-on, note the following:
- Click Publish Meta Data only after you have configured the SAML 2.0 Identity Provider or Service Provider services.
- If this SAML Authority site is configured to serve in the role of Identity Provider with some partners, and Service Provider with other partners, you should maintain a single version of this metadata file. This helps prevent messages from being rejected due to incompatible single sign-on settings.
- If you are configuring SAML 2.0 services on two or more server instances in a domain, you must configure the RDBMS security store.
Configuration Options
Name Description Replicated Cache Enabled Specifies whether the persistent cache (LDAP or RDBMS) is used for storing SAML 2.0 artifacts and authentication requests.
RDBMS is required by the SAML 2.0 security providers in production environments. Use LDAP only in development environments.
If this is not set, artifacts and requests are saved in memory.
If you are configuring SAML 2.0 services for two or more WebLogic Server instances in a domain, you must enable the replicated cache individually on each server. In addition, if you are configuring SAML 2.0 services in a cluster, each Managed Server must also be configured individually.
MBean Attribute:
SingleSignOnServicesMBean.ReplicatedCacheEnabledChanges take effect after you redeploy the module or restart the server.
Contact Person Given Name The contact person given (first) name.
MBean Attribute:
SingleSignOnServicesMBean.ContactPersonGivenNameContact Person Surname The contact person surname (last name).
MBean Attribute:
SingleSignOnServicesMBean.ContactPersonSurNameContact Person Type The contact person type.
MBean Attribute:
SingleSignOnServicesMBean.ContactPersonTypeContact Person Company The contact person's company name.
MBean Attribute:
SingleSignOnServicesMBean.ContactPersonCompanyContact Person Telephone Number The contact person's telephone number.
MBean Attribute:
SingleSignOnServicesMBean.ContactPersonTelephoneNumberContact Person Email Address The contact person's e-mail address.
MBean Attribute:
SingleSignOnServicesMBean.ContactPersonEmailAddressOrganization Name The organization name.
This string specifies the name of the organization to which a user may refer for obtaining additional information about the local site.
MBean Attribute:
SingleSignOnServicesMBean.OrganizationNameOrganization URL The organization URL.
This string specifies a location to which a user may refer for information about the local site. This string is not used by SAML 2.0 services for the actual handling or processing of messages.
MBean Attribute:
SingleSignOnServicesMBean.OrganizationURLPublished Site URL The published site URL.
When publishing SAML 2.0 metadata, this URL is used as a base URL to construct endpoint URLs for the various SAML 2.0 services. The published site URL is also used during request processing to generate and/or parse various URLs.
The hostname and port portion of the URL should be the hostname and port at which the server is visible externally; this may not be the same as the hostname and port by which the server is known locally. If you are configuring SAML 2.0 services in a cluster, the hostname and port may correspond to the load balancer or proxy server that distributes client requests to servers in the cluster.
The remainder of the URL should be a single path component corresponding to the application context at which the SAML 2.0 services application is deployed (typically
/saml2).MBean Attribute:
SingleSignOnServicesMBean.PublishedSiteURLEntity ID The string that uniquely identifies the local site.
MBean Attribute:
SingleSignOnServicesMBean.EntityIDRecipient Check Enabled Specifies whether the recipient/destination check is enabled. When true, the recipient of the SAML Request/Response must match the URL in the HTTP Request.
MBean Attribute:
SingleSignOnServicesMBean.RecipientCheckEnabledTransport Layer Client Authentication Enabled Specifies whether TLS/SSL client authentication is required.
If enabled, callers to TLS/SSL bindings of the local site must specify client authentication (two-way SSL), and the identity specified must validate against the TLS certificate of the binding client partner.
MBean Attribute:
SingleSignOnServicesMBean.WantTransportLayerSecurityClientAuthenticationTransport Layer Security Key Alias The string alias used to store and retrieve the server's private key, which is used to establish outgoing TLS/SSL connections.
If you do not specify an alias, the server's configured SSL private key alias from the server's SSL configuration is used for the TLS alias by default.
MBean Attribute:
SingleSignOnServicesMBean.TransportLayerSecurityKeyAliasTransport Layer Security Key Passphrase The passphrase used to retrieve the server's private key from the keystore.
If you do not specify either an alias or a passphrase, the server's configured SSL private key alias and private key passphrase from the server's SSL configuration is used for the TLS alias and passphrase by default.
MBean Attribute:
SingleSignOnServicesMBean.TransportLayerSecurityKeyPassPhraseBasic Client Authentication Enabled Specifies whether Basic Authentication client authentication is required.
If enabled, callers to HTTPS bindings of the local site must specify a Basic authentication header, and the username and password must be validated against the Basic authentication values of the binding client partner.
MBean Attribute:
SingleSignOnServicesMBean.WantBasicAuthClientAuthenticationBasic Authentication User Name The username that is used to assign Basic authentication credentials to outgoing HTTPS connections.
MBean Attribute:
SingleSignOnServicesMBean.BasicAuthUsernameBasic Authentication Password The password used to assign Basic Authentication credentials to outgoing HTTPS connections
MBean Attribute:
SingleSignOnServicesMBean.BasicAuthPasswordOnly Accept Signed Artifact Requests Specifies whether incoming artifact requests must be signed.
This attribute can be set if the Artifact binding is enabled.
MBean Attribute:
SingleSignOnServicesMBean.WantArtifactRequestsSignedArtifact Cache Size The maximum size of the artifact cache.
This cache contains the artifacts issued by the local site that are awaiting referencing by a partner. Specify '0' to indicate that the cache is unbounded.
MBean Attribute:
SingleSignOnServicesMBean.ArtifactMaxCacheSizeArtifact Cache Timeout The maximum timeout (in seconds) of artifacts stored in the local cache.
This cache stores artifacts issued by the local site that are awaiting referencing by a partner. Artifacts that reach this maximum timeout duration are expired in the local cache even if no reference request has been received from the partner. If a reference request is subsequently received from the partner, the cache behaves as if the artifact had never been generated.
MBean Attribute:
SingleSignOnServicesMBean.ArtifactTimeoutSingle Sign-on Signing Key Alias The keystore alias for the key to be used when signing documents.
The key is used to generate signatures on all the outgoing documents, such as authentication requests and responses. If you do not specify an alias, the server's configured SSL private key alias from the server's SSL configuration is used by default.
MBean Attribute:
SingleSignOnServicesMBean.SSOSigningKeyAliasSingle Sign-on Signing Key Pass Phrase The passphrase used to retrieve the local site's SSO signing key from the keystore.
If you do not specify a keystore alias and passphrase, the server's configured private key alias and private key passphrase from the server's SSL configuration is used by default.
MBean Attribute:
SingleSignOnServicesMBean.SSOSigningKeyPassPhrase
|