+

Search Tips   |   Advanced Search

SAML web single sign-on (SSO) trust association interceptor (TAI) custom properties

The following tables list the custom properties for the Security Assertion Markup Language (SAML) trust association interceptor (TAI). We can define these properties in the custom properties panel for the SAML TAI using the console.

To assign unique property names that identify each possible single sign-on (SSO) service provider (SP) partner, an sso_<id> is embedded in the property name and used to group the properties associated with each SSO partner. The sso_<id>s are numbered sequentially for each SSO service provider partner.

The SAML TAI custom properties can be grouped into three categories:

Global properties Applicable to all SSO partners configured for the SAML TAI.
IdP properties Applicable to identity providers configured for the SAML TAI. To assign unique property names that identify each identity provider partner, an idp_<id> is embedded in the property name and used to group the properties associated with each SSO IdP partner.
Service provider properties Applicable to a service provider. Grouped together for each SSO service provider partner under a unique sso_<id>.

All custom properties names are case sensitive.


Global SAML TAI custom properties

Property name Values Description
targetUrl Any URL value. Default target URL after successful validation of the SAMLResponse when there is no RelayState received from the IdP. Overridden by sso_<id>.sp.targetUrl.
useRelayStateForTarget
true (default)
false
Indicate if the RelayState should be used as the target URL. Overridden by sso_<id>.sp. useRelayStateForTarget.
allowedClockSkew Any positive number. Default is three minutes. Allowed clock skew in minutes when validating the SAML token. Overridden by sso_<id>.sp. allowedClockSkew.
enforceTaiCookie
true (default)
false
Indicate if the SAML TAI should check if an LTPA cookie is mapped to a subject created for the SSO partner. Overridden by sso_<id>.sp.enforceTaiCookie.
replayAttackTimeWindow Any integer value. Default is 30. Time, in minutes, within which the second request is rejected if two identical SAML tokens are received by the TAI. See also sso_<id>.sp. preventReplayAttack.


IdP SAML TAI custom properties

Property Name Values Description
sso_<id>.idp_<id>.SingleSignOnUrl Any URL value. URL of the SSO service of the IdP.
sso_<id>.idp_<id>.allowedIssuerDN No default Name of the Issuer who is allowed to sign the SAML token sent by the IdP. If the SAML token is not signed by this issuer, the token is rejected.
sso_<id>.idp_<id>.allowedIssuerName No default. Value of the <saml:Issuer> Issuer element in the SAML token. The SAML token received from the IdP is rejected if the Issuer in the token does not match this value.


Service provider SAML TAI custom properties

Property Name Values Description
sso_<id>.sp.acsUrl No default URL of the ACS or the business application.
sso_<id>.sp.cookiegroup No value. Tag to be added to an ltpa cookie for the configured SAML SSO partner. When a web request is received with an ltpa cookie, the ltpa cookie is valid only if the tag matches this value.
sso_<id>.sp.EntityID Default is value of sso_<id>.sp.aclUrl. Used to verify AudienceRestriction in the SAML assertion.
sso_<id>.sp.targetUrl No default. URL of the target application. Used when RelayState is not present in the client request.
sso_<id>.sp.useRelayStateForTarget true (default)
false
If true, use the value of RelayState in the client request as the URL of the target application. If false, use the value of sso_<id>.sp.targetUrl as the URL of the target application.
sso_<id>.sp.login.error.page Required. No default. Error page, IdP login page, or custom mapping class to which an unauthenticated client request is redirected to.
sso_<id>.sp.acsErrorPage Defaults to the value for sso_<id>.sp.login.error.page. Error page to use if the SAML token fails validation or authentication.
sso_<id>.sp.allowedClockSkew No default. Specifies, in minutes, the time added to the token expiration time of the SAML token sent by the IdP.
sso_<id>.sp.trustStore No default. Truststore for validating the SAML signature. It specifies the name of a managed keystore.
sso_<id>.sp.trustAnySigner false (default)
true
If false, the signer certificate is verified for trust validation. If true any signer certificate is trusted without trust validation.
sso_<id>.sp.keyStore No default. Keystore containing the private key for decrypting the encrypted SAML assertion.
sso_<id>.sp.keyName No default. Key name for decrypting the SAML assertion.
sso_<id>.sp.keyPassword No default. Key password for decrypting the SAML assertion.
sso_<id>.sp.keyAlias No default. Key alias for decrypting the SAML assertion.
sso_<id>.sp.wantAssertionsSigned true (default)
false
If true, the service provider requires the IdP to sign the SAML assertion If false the SAML assertion is not required to be signed by the IdP.
sso_<id>.sp.preserveRequestState true (default)
false
When the service provider redirects the client request to the IdP login, this property specifies whether the client state needs to be saved and restored after the client request is completed. If true, the client state is saved and restored when it is redirected to the IdP login. If false, the client state is not saved
sso_<id>.sp.enforceTaiCookie true (default)
false
Indicates if the SAML TAI should check if an LTPA cookie is mapped to a subject created for the SSO partner.
sso_<id>.sp.realmName This can be any string value. Default is SAML Issuer name. Any SAML attribute. Used in conjunction with realmNameRange. The value of this attribute is used as the subject realm. If this realm does not exist in the list of realms specified by realmNameRange, the realm is rejected.
sso_<id>.sp.realmNameRange No default value. List of allowed realm names and is used in conjunction with realmName. See the description of sso_<id>.sp.realmName.
sso_<id>.sp.principalName This can be any string value. Default Subject NameID. Any SAML attribute. The value of this attribute is used as the subject principal.
sso_<id>.sp.uniqueId This can be any string value. Default is Subject NameID. Any SAML attribute. The value of this attribute is used as the subject uniqueId.
sso_<id>.sp.groupName No default. Any SAML attribute. The value of this attribute is used as groups in the subject.
sso_<id>.sp.defaultRealm IssuerName (default) - Use the SAML token Issuer as the default realm
NameQualifier - Use the SAML token NameQualifier as the default realm
Whether the Issuer or the NameQualifier from the SAML assertion is used as the default realm.
sso_<id>.sp.useRealm No default. Realm name and is used to override the default realm. This property also overrides the realmName property.
sso_<id>.sp.idMap idAssertion (default) - the user specified in the SAML assertion is not checked in the local registry
localRealm - the SAML token user is verified in the local user registry
localRealmThenAssertion - if the user is found in the local registry, IDAssertion is used
How the SAML token is mapped to the subject.
sso_<id>.sp.groupMap localRealm - Map the SAML token groups to groups and parent groups found in the local user registry
addGroupsFromLocalRealm - Map the SAML token groups to groups and parent groups in local user registry. The group membership for this user will contains the groups from SAML assertion and the groups found in local user registry.
This property is used with IDAssertion and specifies how the SAML token is mapped to the groups.
sso_<id>.sp.userMapImpl No default Name of a custom user mapping module class. Used to map a user ID in the SAML token to another user ID that exists in the local user registry.
sso_<id>.sp.X509PATH No default Certificate store used for the intermediary certificates used in validating the SAML signature.
sso_<id>.sp.CRLPATH No default Certificate store used for certificate revocation lists (CRLs) used in validating the SAML signature.
sso_<id>.sp.filter No default Specify a condition that is checked against the HTTP request, to determine whether or not the HTTP request is selected for a SAML web SSO partner. See the SAML TAI filter property section for more information on this property.
sso_<id>.sp.preventReplayAttack true (default)
false
Specify whether the SAML TAI should prevent two identical SAML tokens from being sent in client requests. This property is used in conjunction with the global property replayAttackTimeWindow.
sso_<id>.sp.trustedAlias No default If specified, only the key specified by this alias is used to validate the signature in the SAML assertion. If the signature in the incoming SAML assertion of the SAMLResponse does not include the KeyInfo element, specify this property to resolve the KeyInfo element.
(v8554)

sso_<id>.sp.charEncoding

No default. An example setting is UTF-8. Character encoding used to override the setting in the HTTPServletRequest.
(v8554)

sso_<id>.sp.disableDecodeURL

true
false (default)
When true, the original URL for redirect is used, without decoding the URL.


SAML TAI filter property

The sp.filter SAML TAI filter property is used when a client invokes a protected service provider application directly, without authenticating to the IdP. The filter property is usually used in conjunction with the sp.login.error.page property to redirect an unauthenticated client request to the URL address specified by the sp.login.error.page property.

The filter property specifies a set of conditions that are compared against the HTTP request of the client to select a SAML web SSO service provider partner for processing the HTTP request. Each condition is specified by three elements:

The conditions are evaluated from left to right, as specified by the comparison value. If all the filter conditions specified by an SSO service provider partner are met in an HTTP request, the SSO service provider partner is selected for the HTTP request.

The input element identifies an HTTP request header field to extract from the request and its value is compared with the value specified in the filter property according to the operator specification. If the header field that is identified by the input element is not present in the HTTP request, the condition is treated as not being met. Any of the standard HTTP request header fields can be used as the input element in the filter condition. Refer to the HTTP specification for the list of valid headers.

In addition to the standard HTTP header fields, the following two special input elements can be used in the filter property:

request-url - the comparison value of this input is compared against the URL address used by the client application to make the request
remote-address - the comparison value of this input is compared against the TCP/IP address of the client application that sent the HTTP request


Examples

In the following example, the filter property specifies an HTTP header field From as the input with samluser@xyz.com as the comparison value and == as the operator:

In this case, if a client request contains an HTTP header field From with a value of samluser@xyz.com, the SAML TAI selects the SSO service provider partner of this sso_1 filter for processing the client request.

In the following example, the filter property specifies a URL with ivtlanding.jsp as the comparison value and %= as the operator:

In this case, if the URL of the target application invoked by the client contains the string ivtlanding.jsp, the SAML TAI selects the SSO partner of this sso_2 filter for processing the client request.

In the following example, the filter property specifies an application name with DefaultApplication as the comparison value and == as the operator:

In this case, if the name of the target application invoked by the client application is DefaultApplication, the SAML TAI selects the SSO partner of this sso_3 filter for processing the client request.

The following table lists the different operators used in the filter property:

Operator Condition Example
== This operator specifies an exact match. The input element must be equal to the comparison value. From==jones@my.company.com
%= This operator specifies a partial match. The input element contains the comparison value. user-agent%=IE 6
^= The input element contains one of the comparison values. This is the only operator that can be combined with the | operator. request-url^=urlApp1|urlApp2| urlApp3
!= The input element does not contain the comparison value. request-url!=SPNEGO;request-url!=test105
> The input element is greater than the comparison value. remote-address>192.168.255.130
< The input element is less than the comparison value. remote-address<192.168.255.135

Reference topic