SAML Web SSO 2.0 Authentication (samlWebSso20)

SAML Web SSO 2.0 Authentication (samlWebSso20)

Controls the operation of the Security Assertion Markup Language Web SSO 2.0 Mechanism.

Name Type Default Description

allowCreate boolean Allow the IdP to create a new account if the requesting user does not have one.

allowCustomCacheKey boolean true Allow generating a custom cache key to access the authentication cache and get the subject.

audiences string ANY The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.

authFilterRef Top level authFilter element (string). Authentication filter reference.

authnContextClassRef string A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.

authnContextComparisonType

better
exact
maximum
minimum

exact When an authnContextClassRef is specified, the authnContextComparisonType can be set.
better
Better. The authentication context in the authentication statement must be stronger than any one of the authentication contexts specified.
exact
Exact. The authentication context in the authentication statement must be an exact match of at least one of the authentication contexts specified.
maximum
Maximum. The authentication context in the authentication statement must be as strong as possibe without exceeding the strength of at least one of the authentication contexts specified.
minimum
Minimum. The authentication context in the authentication statement must be at least as strong as one of the authentication contexts specified.

authnRequestTime A period of time with millisecond precision 10m Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

authnRequestsSigned boolean true Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed.

clockSkew A period of time with millisecond precision 5m This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

createSession boolean true Specifies whether to create an HttpSession if the current HttpSession does not exist.

customizeNameIDFormat string Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification.

disableInitialRequestCookie boolean false When too many authentication requests are created by Service Provider and redirected to IdP due to the application SSO setup, set this attribute to true to prevent creation of the initial request cookie. The default is false.

disableLtpaCookie boolean true Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead.

enabled boolean true The service provider is enabled if true and disabled if false.

errorPageURL string Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO.

forceAuthn boolean false Indicates whether the IdP should force the user to re-authenticate.

groupIdentifier string Specifies a SAML attribute used as the name of the group that the authenticated principal is a member of. There is no default value.

headerName string Saml The header name of the HTTP request which stores the SAML Token.

httpsRequired boolean true Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata.

id string A unique configuration ID.

idpMetadata string ${server.config.dir}/resources/security/idpMetadata.xml Specifies the IdP metadata file.

inboundPropagation

none
required

none Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms.
none
%inboundPropagation.none
required
%inboundPropagation.required

includeTokenInSubject boolean true Specifies whether to include a SAML assertion in the subject.

includeX509InSPMetadata boolean true Specifies whether to include the x509 certificate in the Liberty SP metadata.

isPassive boolean false Indicates IdP must not take control of the end user interface.

keyAlias string Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'.

keyStoreRef Top level keyStore element (string). A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default.

loginPageURL string Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO.

mapToUserRegistry

Group
No
User

No Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
Group
Map a SAML identity to a group defined in the user registry
No
Do not map a SAML identity to a user or group in the registry
User
Map a SAML identity to a user defined in the registry

nameIDFormat

customize
email
encrypted
entity
kerberos
persistent
transient
unspecified
windowsDomainQualifiedName
x509SubjectName

email Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification.
customize
Customized Name ID Format.
email
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
encrypted
urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
entity
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
transient
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
windowsDomainQualifiedName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
x509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

postLogoutRedirectUrl string (with whitespace trimmed off) The client is redirected to this optional URL after the client invokes the SAML logout endpoint and the logout completes

reAuthnCushion A period of time with millisecond precision 0m The time period to authenticate the user again when the Subject associated with a SAML Assertion is about to expire. This cushion is applied to both the NotOnOrAfter value in the Conditions element and the SessionNotOnOrAfter attribute of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

reAuthnOnAssertionExpire boolean false Authenticate the incoming HTTP request again when the NotOnOrAfter value in the Conditions element of the SAML Assertion is expired.

realmIdentifier string Specifies a SAML attribute used as the realm name. If no value is specified, the Issuer SAML assertion element value is used.

realmName string Specifies a realm name when mapToUserRegistry is set to No or Group.

sessionNotOnOrAfter A period of time with millisecond precision 120m Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. This property is only used if disableLtpaCookie=true. The default value is true. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

signatureMethodAlgorithm

SHA1
SHA128
SHA256

SHA256 Indicates the required algorithm by this service provider.
SHA1
SHA-1 signature algorithm
SHA128
%signatureMethodAlgorithm.SHA128
SHA256
SHA-256 signature algorithm

spCookieName string Specifies a cookie name for the SAML service provider. The service provider will provide one by default.

spHostAndPort string Hostname and port number by which the IdP addresses this SAML service provider. Use this attribute if the browser needs to be redirected to a router or proxy server instead of directly connecting to the service provider. The format for the value for this attribute is (scheme)://(proxyOrRouterHost):(proxyOrRouterPort). For example, https://myRouter.com:443.

spLogout boolean false Perform a SAML logout when you invoke the HttpServletRequest.logout method or the ibm_security_logout URL.

targetPageUrl string The default landing page for the IdP-initiated SSO if the relayState is missing. This property must be set to a valid URL if useRelayStateForTarget is set to false.

tokenReplayTimeout A period of time with millisecond precision 30m This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.

useRelayStateForTarget boolean true When doing IdP-initiated SSO, this property specifies if the relayState in a SAMLResponse should be used as the target URL. If set to false, the value for targetPageUrl is always used as the target URL.

userIdentifier string Specifies a SAML attribute used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used.

userUniqueIdentifier string Specifies a SAML attribute used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.

wantAssertionsSigned boolean true Indicates a requirement for the <saml:Assertion> elements received by this service provider to contain a Signature element that signs the Assertion.

authFilter
Authentication filter reference.
authFilter > cookie
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Specifies the name.

authFilter > host
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Specifies the name.

authFilter > remoteAddress
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

ip string Specifies the remote host TCP/IP address.

matchType

contains
equals
greaterThan
lessThan
notContain

contains Match type.

authFilter > requestHeader
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Specifies the name.

value string The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

authFilter > requestUrl
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

urlPattern string
Required Specifies the URL pattern. The * character is not supported to be used as a wildcard.

authFilter > userAgent
A unique configuration ID.

Name Type Default Description

agent string
Required Specifies the browser's user agent to help identify which browser is being used.

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

authFilter > webApp
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

matchType

contains
equals
notContain

contains Match type.

name string
Required Specifies the name.

pkixTrustEngine
Specifies the PKIX trust information used to evaluate the trustworthiness and validity of XML signatures in a SAML response. Do not specify multiple pkixTrustEngine in a samlWebSso20.

Name Type Default Description

trustAnchorRef Top level keyStore element (string). A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion.

trustedIssuers string Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted.

pkixTrustEngine > crl
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

path string
Required Specifies the path to the crl.

pkixTrustEngine > x509Certificate
A unique configuration ID.

Name Type Default Description

id string A unique configuration ID.

path string
Required Specifies the path to the x509 certificate.

Name	Type	Default	Description
allowCreate	boolean		Allow the IdP to create a new account if the requesting user does not have one.
allowCustomCacheKey	boolean	true	Allow generating a custom cache key to access the authentication cache and get the subject.
audiences	string	ANY	The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.
authFilterRef	Top level authFilter element (string).		Authentication filter reference.
authnContextClassRef	string		A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.
authnContextComparisonType	better exact maximum minimum	exact	When an authnContextClassRef is specified, the authnContextComparisonType can be set. better Better. The authentication context in the authentication statement must be stronger than any one of the authentication contexts specified. exact Exact. The authentication context in the authentication statement must be an exact match of at least one of the authentication contexts specified. maximum Maximum. The authentication context in the authentication statement must be as strong as possibe without exceeding the strength of at least one of the authentication contexts specified. minimum Minimum. The authentication context in the authentication statement must be at least as strong as one of the authentication contexts specified.
authnRequestTime	A period of time with millisecond precision	10m	Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
authnRequestsSigned	boolean	true	Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed.
clockSkew	A period of time with millisecond precision	5m	This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
createSession	boolean	true	Specifies whether to create an HttpSession if the current HttpSession does not exist.
customizeNameIDFormat	string		Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification.
disableInitialRequestCookie	boolean	false	When too many authentication requests are created by Service Provider and redirected to IdP due to the application SSO setup, set this attribute to true to prevent creation of the initial request cookie. The default is false.
disableLtpaCookie	boolean	true	Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead.
enabled	boolean	true	The service provider is enabled if true and disabled if false.
errorPageURL	string		Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO.
forceAuthn	boolean	false	Indicates whether the IdP should force the user to re-authenticate.
groupIdentifier	string		Specifies a SAML attribute used as the name of the group that the authenticated principal is a member of. There is no default value.
headerName	string	Saml	The header name of the HTTP request which stores the SAML Token.
httpsRequired	boolean	true	Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata.
id	string		A unique configuration ID.
idpMetadata	string	${server.config.dir}/resources/security/idpMetadata.xml	Specifies the IdP metadata file.
inboundPropagation	none required	none	Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms. none %inboundPropagation.none required %inboundPropagation.required
includeTokenInSubject	boolean	true	Specifies whether to include a SAML assertion in the subject.
includeX509InSPMetadata	boolean	true	Specifies whether to include the x509 certificate in the Liberty SP metadata.
isPassive	boolean	false	Indicates IdP must not take control of the end user interface.
keyAlias	string		Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'.
keyStoreRef	Top level keyStore element (string).		A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default.
loginPageURL	string		Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO.
mapToUserRegistry	Group No User	No	Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject. Group Map a SAML identity to a group defined in the user registry No Do not map a SAML identity to a user or group in the registry User Map a SAML identity to a user defined in the registry
nameIDFormat	customize email encrypted entity kerberos persistent transient unspecified windowsDomainQualifiedName x509SubjectName	email	Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification. customize Customized Name ID Format. email urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress encrypted urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted entity urn:oasis:names:tc:SAML:2.0:nameid-format:entity kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos persistent urn:oasis:names:tc:SAML:2.0:nameid-format:persistent transient urn:oasis:names:tc:SAML:2.0:nameid-format:transient unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified windowsDomainQualifiedName urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName x509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
postLogoutRedirectUrl	string (with whitespace trimmed off)		The client is redirected to this optional URL after the client invokes the SAML logout endpoint and the logout completes
reAuthnCushion	A period of time with millisecond precision	0m	The time period to authenticate the user again when the Subject associated with a SAML Assertion is about to expire. This cushion is applied to both the NotOnOrAfter value in the Conditions element and the SessionNotOnOrAfter attribute of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
reAuthnOnAssertionExpire	boolean	false	Authenticate the incoming HTTP request again when the NotOnOrAfter value in the Conditions element of the SAML Assertion is expired.
realmIdentifier	string		Specifies a SAML attribute used as the realm name. If no value is specified, the Issuer SAML assertion element value is used.
realmName	string		Specifies a realm name when mapToUserRegistry is set to No or Group.
sessionNotOnOrAfter	A period of time with millisecond precision	120m	Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. This property is only used if disableLtpaCookie=true. The default value is true. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
signatureMethodAlgorithm	SHA1 SHA128 SHA256	SHA256	Indicates the required algorithm by this service provider. SHA1 SHA-1 signature algorithm SHA128 %signatureMethodAlgorithm.SHA128 SHA256 SHA-256 signature algorithm
spCookieName	string		Specifies a cookie name for the SAML service provider. The service provider will provide one by default.
spHostAndPort	string		Hostname and port number by which the IdP addresses this SAML service provider. Use this attribute if the browser needs to be redirected to a router or proxy server instead of directly connecting to the service provider. The format for the value for this attribute is (scheme)://(proxyOrRouterHost):(proxyOrRouterPort). For example, https://myRouter.com:443.
spLogout	boolean	false	Perform a SAML logout when you invoke the HttpServletRequest.logout method or the ibm_security_logout URL.
targetPageUrl	string		The default landing page for the IdP-initiated SSO if the relayState is missing. This property must be set to a valid URL if useRelayStateForTarget is set to false.
tokenReplayTimeout	A period of time with millisecond precision	30m	This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
useRelayStateForTarget	boolean	true	When doing IdP-initiated SSO, this property specifies if the relayState in a SAMLResponse should be used as the target URL. If set to false, the value for targetPageUrl is always used as the target URL.
userIdentifier	string		Specifies a SAML attribute used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used.
userUniqueIdentifier	string		Specifies a SAML attribute used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.
wantAssertionsSigned	boolean	true	Indicates a requirement for the <saml:Assertion> elements received by this service provider to contain a Signature element that signs the Assertion.

Name	Type	Default	Description
id	string		A unique configuration ID.
matchType	contains equals notContain	contains	Match type.
name	string Required		Specifies the name.
value	string		The value attribute specifies the value of the request header. If the value is not specified, then the name attribute is used for matching, for example, requestHeader id="sample" name="email" matchType="contains".

Name	Type	Default	Description
trustAnchorRef	Top level keyStore element (string).		A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion.
trustedIssuers	string		Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted.

Name	Type	Default	Description
id	string		A unique configuration ID.
path	string Required		Specifies the path to the crl.