Servers: Configuration: Federation Services: SAML 2.0 Service Provider
Configuration Options Related Tasks Related Topics
This page configures the SAML 2.0 per server service provider properties
If you are configuring SAML 2.0 Service Provider services for web single sign-on, after you complete the configuration settings on this page, return to the SAML 2.0 General page and click Publish Meta Data.
Name Description Enabled
Specifies whether the local site is enabled for the Service Provider role.
This attribute must be enabled in order to publish the metadata file.
Always Sign Authentication Requests
Specifies whether authentication requests must be signed. If set, all outgoing authentication requests are signed.
Specifies whether the Identity Provider must authenticate users directly and not use a previous security context. The default is
Note the following:
true-- that is, enabling Force Authentication -- has no effect in WebLogic Server. SAML logout is not supported in WebLogic Server, so even if the user is already authenticated at the Identity Provider site and
ForceAuthnis set to
true, the user is not forced to authenticate again at the Identity Provider site.
true-- that is, Force Authentication and Passive are enabled -- is an invalid configuration that causes WebLogic server to generate an exception and also causes the single sign-on session to fail.
Determines whether the Identity Provider and the user must not take control of the user interface from the requester and interact with the user in a noticeable fashion. The default setting is
The WebLogic Server SAML 2.0 services generate an exception if Passive (
IsPassive) is enabled and the end user is not already authenticated at the Identity Provider site. In this situation, web single sign-on fails.
Only Accept Signed Assertions
Specifies whether incoming SAML 2.0 assertions must be signed.
Authentication Request Cache Size
The maximum size of the authentication request cache.
This cache stores documents issued by the local Service Provider that are awaiting response from a partner Identity Provider.
Specify '0' to indicate that the cache is unbounded.
Authentication Request Cache Timeout
The maximum timeout (in seconds) of <AuthnRequest> documents stored in the local cache.
This cache stores documents issued by the local Service provider that are awaiting response from a partner Identity Provider. Documents that reach this maximum timeout duration are expired from the local cache even if no response is received from the Identity Provider. If a response is subsequently returned by the Identity Provider, the cache behaves as if the <AuthnRequest> had never been generated.
POST One Use Check Enabled
Specifies whether the POST one-use check is enabled.
If set, the local site POST binding endpoints will store identifiers of all inbound documents to ensure that those documents are not presented more than once.
POST Binding Enabled
Specifies whether the POST binding is enabled for the Service Provider.
Artifact Binding Enabled
Specifies whether the Artifact binding is enabled for the Service Provider.
Specifies the preferred binding type for endpoints of Service Provider services. Must be set to "None", "POST", or "Artifact".
The Service Provider's default URL.
When an unsolicited SSO response arrives at the Service Provider without an accompanying target URL, the user (if authenticated) is redirected to this default URL.
Assertion Key Pass Phrase
The passphrase used to retrieve the local site's Assertion key from the keystore.
Assertion Key Alias
The keystore alias for the certificate and private key to be used to encrypt and decrypt SAML Assertions.
The certificate is published in the SP metadata, which will be used by an external SP to encrypt SAML assertions.
The private key is used to decrypt assertions. If the alias is not specified, the server's configured SSL identity alias is used by default.
Meta Data Encryption Algorithms
The list of data, key encryption algorithms, separated by line breaks, to be published in a WebLogic Service Partner's metadata. Default list includes: aes128-gcm, aes192-gcm, aes256-gcm, aes128-cbc, aes192-cbc, aes256-cbc, rsa-oaep, rsa-oaep-mgf1p