Topics:
Use the assertion template setting to set the predefined assertion template.
The settings are listed alphabetically.
Note:
Not all settings apply to all assertion templates.
Action Match performs authorization checks for web service operation.
This value can be a comma-separated list of values. This field accepts wildcards.For example, validate
,amountAvailable
.
Algorithm suite is used for message protection.
For more information, see "Supported Algorithm Suites".
This setting is used to specify the authentication mechanism for the assertion template.
Valid values include:
basic
—Client authenticates itself by transmitting the username and password.
Note: It is recommended that you configure SSL when using basic authentication. For more information, see "About Configuring Keystores for SSL".
cert
—Not supported in this release. Client authenticates itself by transmitting a certificate.
custom
—Not supported in this release. Custom authentication mechanism.
digest
— Not supported in this release. Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.
jwt
—Reserved for future use.
oam
—Client authenticates itself using OAM agent.
saml20-bearer
—Client authenticates itself using SAML 2.0 Bearer token.
spnego
—Client authenticates itself using Kerberos SPNEGO.
This setting is used to define the body elements for the assertion template.
Note: This field is available if Include Entire Body is disabled.
Sign or encrypt the specified body elements. This field is applicable if the Include Body field is disabled.
To add a body element:
Click Add.
Enter the namespace URI.
Enter the local name for the body element.
Click OK.
To edit a body element:
Select the bpdu element that you want to edit in the Body Elements list.
Click Edit.
Modify the values, as required.
Click OK.
To delete a body element:
Select the body element that you want to delete in the Body Elements list.
Click Delete.
When prompted to confirm, click OK.
A Secure Conversation policy has two policies: inner and outer. The Bootstrap Message Security control exposes the inner and outer policies.
The bootstrap (inner) policy is used to obtain the token and establish the handshake between the client and the web service. The outer policy is used for application messages when making requests with the token.
This is used as key material for the requested proof token in Secure Conversation.
The client policy URI that will be used by the client to communicate with the STS.
The policy you choose depends on the authentication requirements of the STS, as identified in its WSDL. In some cases, you can filter the list of policies by selecting either Show All Client Policies or Show Compatible Client Policies. If you choose Show Compatible Client Policies, only those policies compatible with the port specified in Port URI are shown.
This flag specifies whether to send a signature confirmation back to the client. The default value of this flag is ‘false’.
This setting specifies the Sender Vouches SAML token for authentication.
The only valid value is:
sender-vouches—Uses the Sender Vouches SAML token for authentication.
Expression that represents the constraints against which authorization checks are performed.
The constraints expression is specified using the following two messageContext properties:
messageContext.authenticationMethod—Determines the authentication method used to authenticate the user. Valid value is SAML_SV.
messageContext.requestOrigin—Determines whether the request originated from an internal or external network. This property is valid only when using Oracle HTTP Server and the Oracle HTTP server administrator has added a custom VIRTUAL_HOST_TYPE header to the request.
The constraint pattern properties and their values are case sensitive.
The constraint expression uses the following standard supported operators: ==, !=, &&, || and !.
This flag specifies whether a time stamp for the creation of the username token is required.
Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.
For the preconfigured WS-SC policies, Secure Conversation is enabled by default. For all of the other policies, Secure Conversation is disabled by default.
Mechanism used when encrypting the request.
Valid values for wss10_message_protection_client_template
and wss10_saml_token_with_message_protection_client_template
:
direct—X.509 Token is included in the request.
ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.
issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.
Valid values for wss11_message_protection_client_template
, wss11_saml_token_with_message_protection_client_template
, wss11_saml20_token_with_message_protection_client_template
, wss11_username_token_with_message_protection_client_template
, wss11_x509_token_with_message_protection_client_template
, wss11_username_token_with_message_protection_client_template
:
direct—X.509 Token is included in the request.
ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.
issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.
thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead.
Use this setting for logging fault messages.
The valid values are:
all—Log the entire SOAP message.
header—Log SOAP header information only.
soap_body—Log SOAP body information only.
soap_envelope—Log SOAP envelope information only.
Use these settings for message signing and encryption.
See Table 18-132.
Use this setting to sign or encrypt the specified SOAP header elements.
To add a header element:
Click Add.
Enter the namespace URI.
Enter the local name for the header element.
Click OK.
To edit a header element:
Select the header element that you want to edit in the Header Elements list.
Click Edit.
Modify the values, as required.
Click OK.
To delete a header element:
Select the header element that you want to delete in the Header Elements list.
Click Delete.
When prompted to confirm, click OK.
Use this setting to sign or encrypt the entire body of the SOAP message.
If false, you can add specific body elements using the Body Elements section.
Sign or encrypt SOAP attachments with MIME headers.
Note: This field is enabled and applicable if Include SwA Attachment is enabled. It is not applicable to MTOM attachments.
Include SwA Attachment sign or encrypt SOAP messages with attachments.
Note: This field is not applicable to MTOM attachments.
This flag specifies whether to include a timestamp.
A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.
This specifies the type of Kerberos token.
The only valid value is: gss-apreq-v5 (Kerberos Version 5 GSS-API).
The alias of the STS certificate you added to the keystore.
The default alias name is sts-csf-key.
This flag specifies whether two-way authentication is required.
Valid values include:
Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service.
Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.
This specifies the type of format to be used for the name identifier.
Specify one of the following values:
unspecified
emailAddress
X509SubjectName
WindowsDomainQualifiedName
The following assertion templates have the additional value: kerberos:
wss10_saml20_token_client_template, wss_saml20_token_bearer_over_ssl_client_template, wss10_saml20_token_with_message_protection_client_template, wss11_saml20_token_with_message_protection_client_template
Name Identifier Format is applicable only when subject.precedence is set to false. If subject.precedence is false, the user name to create the SAML assertion is obtained from the csf-key property or the username property (see "Configuring SAML Web Service Client at Design Time"). The format of the user name must be the same as the format set in Name Identifier Format.
If subject.precedence is true, the user name to create the SAML assertion is obtained from the Subject. In this case, the Name Identifier Format is always "unspecified" and this cannot be changed by setting Name Identifier Format.
This flag specifies whether a nonce must be included with the username to prevent replay attacks.
Note: If Password Type is set to digest, then this attribute must be set to true. Otherwise, the policy to which it is attached will not validate.
This specifies the type of password required.
Valid values are:
none—No password.
plaintext—Password in clear text.
digest— Client authenticates itself by transmitting an encrypted password through the use of an MD5 digest.
If you specify a password type of None, you do not need to include a password in the key.
Note:
If you do not use a digest password, policies created using this template are not secure; plaintext
transmits the password in clear text. You should use this assertion without a digest password in low security situations only, or when you know that the transport is protected using some other mechanism. Alternatively, consider using the SSL version of this assertion, "oracle/wss_username_token_over_ssl_client_template".
Role- and permission-based polices use the guard element to define resource, action, and constraint match values. These values allow the assertion execution only if the result of the guard is true. If the accessed resource name and action match, only then is the assertion allowed to execute.
For more information on guard element, see "orawsp:guard Element".
By default, resource name and action use the wildcard asterisk "*" and everything is allowed.
Class used for the permission-based checking.
For example, oracle.wsm.security.WSFuncPermission
.
You have the option to change the permission_class configuration property for the policy, which identifies the permission class as per JAAS standards. The permission class must be available in the application or server classpath.
The custom permission class must extend the abstract Permission class and implement the Serializable interface. See the Javadoc at http://docs.oracle.com/javase/7/docs/api/java/security/Permission.html
.
The default is oracle.wsm.security.WSFunctionPermission.
The endpoint of the STS web service.For a WSDL 2.0 STS, the format is specified as target-namespace#wsdl.endpoint(service-name/port-name)
.
For example, http://samples.otn.com.LoanFlow#wsdl.endpoint(LoanFlowService/LoanFlowPort)
. For a WSDL 1.1 STS, the format is specified as targetnamespace#wsdl11.endpoint(servicename/portname)
. For example, http://samples.otn.com.LoanFlow#wsdl11.endpoint(LoanFlowService/LoanFlowPort)
.
The actual endpoint URI of the STS port.
For example. http://host:port/context-root/service1
.
You can enable the re-authenticate control only for SAML sender vouches policies when the propagate.identity.context
configuration attribute is set to True.
For more information, see "When to Use Re-Authentication" in Understanding Oracle Web Services Manager.
Mechanism used when encrypting the receipt.
Valid values are the same as for Sign Key Reference Mechanism above.
Mechanism used when signing the receipt.
Valid values are the same as for "Sign Key Reference Mechanism".
Requirements for logging request messages.
The valid values are:
all—Log the entire SOAP message.
header—Log SOAP header information only.
soap_body—Log SOAP body information only.
soap_envelope—Log SOAP envelope information only.
This specifies if XPaths should be requested.
Optional element. A comma-separated list of XPaths for the request. Default value is blank.
Optional element. A comma-separated list of namespaces for the request, where each namespace has a prefix and URI separated by the equals sign. Default value is blank.
Optional element in the RST. If present, OWSM sends the endpoint address of the web service for which the token is being requested. The default behavior is to always send the appliesTo element in the message from the client to the STS.
If a symmetric proof key is required by the web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The web service policy can indicate whether client entropy, STS entropy, or both are required.
If a symmetric proof key is required by the web service's security policy, the requestor can pass some key material (entropy) that can be included in the calculation of the proof key. The web service policy can indicate whether client entropy, STS entropy, or both are required.
Name of the resource for which authorization checks are performed. This field accepts wildcards.For example, if the namespace of the web service is http://project11
and the service name is CreditValidation
, the resource name is http://project11/CreditValidation
.
Requirements for logging response messages. The valid values are the same as for Request.
Optional element. A comma-separated list of namespaces, where each namespace has a prefix and URI separated by the equals sign. Default value is blank.
Optional element. A comma-separated list of XPaths for the response. Default value is blank.
Specifies the roles that are authorized.
The valid values are:
Permit All—Permit users with any roles.
Deny All—Deny all users with roles.
Selected Roles—Permit selected roles.
To add roles:
Click Add.
To add roles, click the checkbox next to each role you want to add in the Roles Available column and click Move. To add all roles, click Move All.
To remove roles, click the checkbox next to each role you want to remove in the Roles Selected to Add column, and click Remove. To remove all roles, click Remove All.
To search for roles, enter a search string in the Role Name search box and click the go arrow. The Roles Available column is updated to include only those roles that match the search string.
Click OK.
To delete roles:
Select the role that you want to delete in the Selected Roles list.
Click Delete.
This is used as key material for the requested proof token for Secure Conversation.
Mechanism used when signing the request.
Valid values include:
direct—X.509 Token is included in the request.
ski—Subject Key Identifier (SKI) extension value of the X.509 certificate used to reference the certificate. (Some certificates may not have this extension.) The recipient of the message looks up its keystore for a certificate corresponding to the SKI and validates the signature against it.
issuerserial—Composite key of issuer name and serial number attributes used to reference the X.509 certificate. The recipient of the message looks up its keystore for a certificate corresponding to Issuer name and Serial Number and validates the signature using it.
thumbprint—Fingerprint (SHA1 hash) of the contents of the certificate. Provides a method to store certificates that is low overhead. This property is valid only for the following templates: wss11_saml_token_with_message_protection_client_template
, wss11_saml20_token_with_message_protection_client_template
, wss11_x509_token_with_message_protection_client_template
, wss11_sts_issued_saml_with_message_protection_client_template
, oracle/wss11_sts_issued_saml_hok_with_message_protection_client_template
.
This flag specifies whether Secure Socket Layer (SSL), otherwise known as Transport Layer Security (TLS), is enabled.
This flag specifies whether to include a timestamp.
A timestamp can be used to prevent replay attacks by identifying an expiration time after which the message is no longer valid.
This flag specifies whether two-way authentication is required.
Valid values include:
Enabled—The service must authenticate itself to the client, and the client must authenticate itself to the service.
Disabled—One-way authentication is required. The service must authenticate itself to the client, but the client is not required to authenticate itself to the service.
This flag specifies whether X509PKIPathV1 tokens should be processed and propagated.
Indicates whether a WSDL exists for the Security Token Service (STS).
If a WSDL does exist, you may be prompted when cloning the template to enter the endpoint URI for the WSDL, indicate whether authentication is required, and enter a user name and password. You can then select Parse WSDL to parse the WSDL and fill the subsequent fields with values from the WSDL.
The following sections summarize the configuration properties that can be set for the predefined assertion templates; settings are listed alphabetically.
Note:
Not all configuration properties apply to all assertion templates.
A configuration override property with default value true. Value can be true or false. When set to true, it governs the addition of anonymous subject in the message context.
The application name defined in OES. Value can be static or dynamic that uses ${} notation.
The mapping attribute used to represent the attesting entity. Only the DN is currently supported. This attribute is applicable only to sender vouches and then only to message protection use cases. It is not applicable to SAML over SSL policies.
By default, at client side, "oit" authorization header is built as part of send request phase. To send the "Bearer" authorization header from the client side, the client need to override the configuration property "auth.header.token.type" with the value "Bearer". The service side processes the authorization header with "Bearer" as well as "oit". It checks the authorization header for "oit" as well as for "Bearer" as auth header prefix. If it matches, the service side extracts the header and verifies it, otherwise throws an appropriate exception.
Client's principal name as generated using the ktpass
command and mapped to the username for which the kerberos token should be generated. Use the following format: <username>@<REALM NAME>
.
Note: keytab.location
and caller.principal.name
are required for propagating client identity for Java EE applications.
Flag that specifies whether Credential Delegation with Forwarded TGT is supported. For more information, see "About Configuration of Credential Delegation". This value is false by default.
Oracle WSM map in the credential store that contains the CSF aliases.
You can override the default, domain-level Oracle WSM map, by specifying an application-level map name as the Value for this property.
For example: Value=app-level-mapname.map
.
Accessing an application-level map also requires granting credential access and identity permission to the wsm-agent-core.jar
, as explained in "About Creating an Application-level Credential Map".
Credential Store Key that maps to a username and password in the OPSS identity store. For information about how to add the key to the credential store, see "Adding Keys and User Credentials to Configure the Credential Store".
Optional property. Action that will be used during real authorization. Value can be static or dynamic that uses ${} notation.
Property used by the client to ignore the timestamp in the SOAP security header when it receives the response from the service. The default behavior is to NOT ignore the timestamp (the default value of this property is false
). If set to true
, then the timestamp is not required in the response message; if the timestamp is present, it is ignored.
The timestamp is required to prevent replay attacks, so in general, Oracle does not recommend setting this property to true
except to address interoperability issues.
It validates the timestamp and responds back with timestamp in the WS-Security Header Element.
This default value is false
. If set to true
then the client will send the timestamp in the WS-Security Header Element. The service then validates the timestamp and responds back with timestamp in the WS-Security Header Element and this will be validated by the client.
The issued tokens are cached by OWSM. When making a request to STS, OWSM requests a token lifetime for returned tokens for the period specified by issued.token.lifetime
.
If the STS returns a token lifetime value different from the requested issued.token.lifetime
value, OWSM uses the return value as the period for caching returned tokens. If the STS returns an empty token lifetime value, OWSM does not cache returned tokens.
The time in milliseconds for OWSM to request as the token lifetime when obtaining an issued token from a security token service (STS). The domain default for this value is 28800000 milliseconds (eight hours). For information about how to change this default value, see "Configuring the Lifetime for the Issued Token Using Fusion Middleware Control".
The iteration count for key derivation using password. The default value is 1000
. If an invalid iteration count is passed, that is, non-integer parsable string or negative value, a warning message is displayed and the default value of 1000 is used.
The alias and password used for storing the decryption key password in the keystore.
If you set this value you then can override keystore.enc.csf.key
, as described in "Overview of Policy Configuration Overrides".
If you do override this value, the key for the new value must be in the keystore. That is, overriding the value does not free you from the requirement of configuring the key in the keystores.
Keystore alias associated with the peer certificate. The security run time uses this alias to extract the peer certificate from the configured keystore and to encrypt messages to the peer. For information about overriding policies, see "Overview of Policy Configuration Overrides".
The alias and password used for storing the signature key password in the keystore. This property allows you to specify the signature key on a per-attachment level instead of at the domain level. This key is used when generating the enveloping signature, as specified using saml.envelope.signature.required
flag.
Optional property. Action that will be used during attributes lookup. Value can be static or dynamic that uses ${} notation.
Optional property. Override this property to indicate whether the request is on behalf of an another entity. The default value for this flag is false.
When set to true and sts.auth.on.behalf.of.csf.key
is configured, then it will be given preference and the identity established using that CSF key will be sent in the onBehalfOf
token. If the sts.auth.on.behalf.of.username.only
property is also set to true, the password portion of the identity in the CSF key will not be sent in the onBehalfOf
token.
Otherwise, if the subject is already established, then the username from the subject will be sent as the onBehalfOf
token.
If sts.auth.on.behalf.of.csf.key
is not set and the subject does not exist, on.behalf.of
is treated as a token exchange for the requestor and not for another entity. It is not included in an onBehalfOf
element in the request.
It is the client policy URI that will be used by the client to communicate with the STS. The policy you choose depends on the authentication requirements of the STS, as identified in its WSDL.
In some cases, you can filter the list of policies by selecting either Show All Client Policies or Show Compatible Client Policies. If you choose Show Compatible Client Policies, only those policies compatible with the port specified in Port URI are shown.
The endpoint of the STS web service.For a WSDL 2.0 STS, the format is specified as target-namespace#wsdl.endpoint(service-name/port-name)
. For example, http://samples.otn.com.LoanFlow#wsdl.endpoint(LoanFlowService/LoanFlowPort)
. For a WSDL 1.1 STS, the format is specified as targetnamespace#wsdl11.endpoint(servicename/portname)
. For example, http://samples.otn.com.LoanFlow#wsdl11.endpoint(LoanFlowService/LoanFlowPort)
.
The actual endpoint URI of the STS port. For example. http://host:port/context-root/service1
.
Propagates the identity context from the web service client to the web service, and then makes it available ("publishes it") to other components for authentication and authorization purposes. For more information, see "Propagating Identity Context Using SAML Policies".
Note:
This property has no effect when defined as an unscoped override using the setWSMPolicySetOverride
command. For more information, see "setWMSPolicySetOverride" in WLST Command Reference for Infrastructure Components.
Optional property that specifies the priority of the policy attachment. When specified for an attached policy, the effective set of policies algorithm allows the policy with the highest integer value priority to take precedence over a conflicting policy attachment, irrespective of its scope.
The value of reference.priority can be any number between(-231) and (231 - 1). The higher the number, the higher the priority assigned during effective policy calculation. Any policy that does not have a value or a non-numeric value is treated as having a value of 0. If the value is set to any of the words "yes", "true", or "on", the value is set to 1.
For more information, see "Specifying the Priority of a Policy Attachment".
Optional property that asserts the user and creates subject for Webgate/OAM protected resources. Default value is OAM_REMOTE_USER
. If the value is set to NONE
, the support for remote user header is disabled. If OAM_REMOTE_USER
is present along with other security headers in a request, OAM_REMOTE_USER
header is given highest priority.
Optional property that switches between different out-of-the-box mapping models. The default value is operation_as_action
. Other allowed values are operation_as_resource_hierarchy
and lookup_action_fixed_execute_action_as_operation
.
Optional property. Resource name defined in OES. Value can be static or dynamic that uses ${} notation.
Optional property. Resource type defined in OES. Value can be static or dynamic that uses ${} notation.
Applies to web service client only. If this is set, the body of protocol request messages such as createSequence() and terminateSequence() are encrypted. The default is that WS-RM protocol messages are not encrypted.
The response message body for protocol messages depends on the request message body: if the request message from the client is encrypted for protocol messages, the web service sends the response encrypted, and vice versa.
The saml.audience.uri configuration property represents the relying party, as a comma-separated URI.
This field accepts the following wildcards:
*
in any location.
/*
at the end of the URI.
.*
at the end of the URI.
Base URL of the service URL.
Flag that specifies whether the bearer token is signed using the domain signature key. You can override the domain signature key using the private signature key configured using keystore.sig.csf.key
.
Set this flag false (in both client and service policy) to have the bearer token be unsigned.
SAML issuer URI. For more information, see "Adding an Additional SAML Assertion Issuer Name".
A comma-separated list of SAML token trusted issuers for an application that will override trusted issuers at domain level.
Secure Conversation token lifetime in milliseconds. The security context is shared by the client and web service for the lifetime of a communication session. This is the time after which the SCT is expired.
Set subject.precedence to false to allow for the use of a client-specified username rather than the authenticated subject.
If subject.precedence
is true, the user name to create the SAML assertion is obtained only from the Subject. Similarly, if subject.precedence
is false, the user name to create the SAML assertion is obtained only from the csf-key username property.
Client's principal name as generated using the ktpass command and mapped to the username for which the kerberos token should be generated. It is of the format <username>@<REALM NAME>
.
Optional property. Use to configure on behalf of entity. If present, it will be given preference over Subject (if it exists). For information about the on behalf of entity, see "on.behalf.of".
Optional property. Use to configure the on behalf of entity when sts.auth.on.behalf.of.csf.key
is specified. For information about the on behalf of entity, see "on.behalf.of".
Principal name for the web service that needs to be protected. It is of the format <host>/<machine name>@<REALM NAME>
. For example, HTTP/mymachine@MYREALM.COM
.
Use to configure username/password to authenticate to the STS.
If policy-reference-uri
in the oracle/sts_trust_config_template client assertion template points to a username-based policy, then you configure the sts.auth.user.csf.key
property to specify a username/password to authenticate to the STS.
Use to configure X509 certificate for authenticating to the STS.
If policy-reference-uri in the oracle/sts_trust_config_template client assertion template points to an x509-based policy, then you configure the sts.auth.x509.csf.key
property to specify the X509 certificate for authenticating to the STS.
Use in Web Services Federation cases to specify the STSes in the trust chain from the RP-STS that web service trusts back to the IP-STS that the web client uses to authenticate.
Set the value of sts.in.order
to a comma separated list of the STS URIs to be contacted, starting with the RP-STS and ending with the IP-STS.
For more information about using this property, see "About Configuring Web Services Federation".
The alias of the STS certificate you added to the keystore. The default alias name is sts-csf-key.
User Credential Store Key that maps to a username and password in the OPSS identity store. See "Adding Keys and User Credentials to Configure the Credential Store".
The default value of basic.credentials
contains the password details of a user. The password details are required to derive key for encryption or signature. The service creates a user csf key for each user.
If the username in the user csf key is different from the one coming in the request header, the authentication fails.
If the password is different, then signature verification or decryption fails.
This is an optional configuration property. Set value to true
to skip lookup phase.
Does not apply to masking policy.
User attributes related to the principal of the SAML token.
Specify the attributes to be included as a comma-separated list. For example, attrib1,attrib2
. The attribute names you specify must exactly match valid attributes in the configured identity store. The OWSM run time reads the values for these attributes from the configured identity store, and then includes the attributes and their values in the SAML assertion.
Requires that the Subject is available and subject.precedence
is set to true.
A client policy reads the values of the attributes specified using user.attributes
from the configured identity store. All valid attribute names and values are used to create the SAML attribute statement.
The user.attributes
property is supported for a single identity store, and only the first identity store in the list is used. The user must, therefore, exist and be valid in the identity store used by the configured WebLogic Server Authentication provider. Authentication providers are described in "Supported Authentication Providers in WebLogic Server".
If the identity store you require is not the first identity store, you can specify that additional identity stores be searched. See "Including User Attributes in the Assertion" for more information.
This configuration property specifies the user roles.
When set to true, OWSM reads the roles of the user from the user repository (LDAP) and propagates them as SAML attributes.