Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

SAML 2.0 Identity Asserter: Web Single Sign-on Identity Provider Partner: General

Configuration Options     Related Tasks     Related Topics

Configures a SAML 2.0 Web Single Sign-on Identity Provider Partner's General Properties

The parameters that can be set on this Administration Console page can also be accessed programmatically via the Java interfaces that are identified in this help topic. For API information about those interfaces, see Related Topics.

Configuration Options

Name Description
Name

The name of this Identity Provider partner.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.Partner interface.

Enabled

Specifies whether interactions with this Identity Provider partner are enabled on this server.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.Partner interface.

Description

A short description of this Identity Provider partner.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.Partner interface.

Identity Provider Name Mapper Class Name

The Java class that overrides the default username mapper class with which the SAML 2.0 Identity Asserter provider is configured in this security realm.

If specified, this class is a custom implementation of the com.bea.security.saml2.providers.SAML2IdentityAsserterNameMapper interface and is used for assertions received from this specific Identity Provider partner.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.IdPPartner interface.

Issuer URI

The Issuer URI of this Identity Provider partner.

The Issuer URI corresponds to the Entity ID contained in the metadata file received from this Identity Provider partner.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.IdPPartner interface.

Virtual User

Specifies whether user information contained in assertions received from this Identity Provider partner are mapped to virtual users in this security realm.

Note that to use virtual users, you must configure the SAML Authentication provider.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.IdPPartner interface.

Redirect URIs

An optional set of URIs from which unauthenticated users will be redirected to the Identity Provider partner.

Note the following:

  • A URI may include a wildcard pattern, but the wildcard pattern must include a file type to match specific files in a directory. For example, to create a match for all files in the /targetapp directory, including all .jsp, .html, and .htm files, the following wildcard patterns are specified:

    /targetapp/*
    /targetapp/*.jsp
    /targetapp/*.html
    /targetapp/*.htm

  • If two or more Identity Provider partners are configured that are capable of authenticating a user for a given URI in this list, the authentication request is sent to the first matching partner that the SAML 2.0 services finds.
  • The use of Redirect URIs is only one mechanism for enabling a Service Provider initiated web single sign-on session. Another is to embed the Service Provider initiator service URI (by default, this is sp/sso/initiator) in the URI of the requested resource.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.WebSSOIdPPartner interface.

Process Attributes

Specifies whether the SAML 2.0 Identity Asserter provider consumes attribute statements contained in assertions received from this Identity Provider partner.

To use this attribute, the SAML Authentication provider must be configured in the domain, and it must:

  • Be configured to run before other authentication providers
  • Have the JAAS Control Flag set to SUFFICIENT

The SAML Authentication provider creates an authenticated subject using the user name and groups extracted from a SAML assertion by the SAML 2.0 Identity Assertion provider.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.IdPPartner interface.

Only Accept Signed Authentication Requests

Specifies whether authentication requests sent to this Identity Provider partner must be signed.

If this attribute is set to true, authentication requests sent to this Identity Provider partner are signed, even if the SAML 2.0 Service Provider configuration for the local site are not set to automatically sign authentication requests.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.WebSSOIdPPartner interface.

Only Accept Signed Artifact Requests

Specifies whether SAML artifact requests received from this Identity Provider partner must be signed.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.WebSSOPartner interface.

Send Artifact via POST

Specifies whether SAML artifacts are delivered to this Identity Provider partner via the HTTP POST method.

If not enabled, SAML artifacts are delivered via the HTTP GET method.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.WebSSOPartner interface.

Artifact Binding POST Form

The URL of the custom web application that generates the POST form for carrying the SAML response for Artifact bindings to this Identity Provider partner. Details about the required fields in this custom application are available in the OASIS SAML 2.0 specifications.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.WebSSOPartner interface.

POST Binding POST Form

The URL of the custom web application that generates the POST form for carrying the SAML response for POST bindings to this Identity Provider partner.

If a custom POST form is used, the parameters will be made available as a Map of names and values, but the form may or may not be constructed to include the parameters in the POSTed data. Details about the required fields in this custom application are available in the OASIS SAML 2.0 specifications.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.WebSSOPartner interface.

Client User Name

The user name that must be specified in the basic authentication header that is expected from this Identity Provider partner when the partner connects to the local site's SOAP/HTTPS binding.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.BindingClientPartner interface.

Client Password

The password of the client user name.

Operations on this parameter are available in the com.bea.security.saml2.providers.registry.BindingClientPartner interface.

Related Tasks

Related Topics


Back to Top