SAML Web Inbound TAI Custom Properties

SAML Web Inbound TAI Custom Properties

The SAML Web Inbound TAI Custom custom properties are used to...

Determine the behavior of the inbound TAI
Process the SAML token received in the inbound web request

The following tables list the custom properties for the inbound TAI. We can define these properties in the Custom Properties panel for the inbound TAI using the administrative console. The inbound TAI supports multiple providers. To configure more than one provider, add a prefix to each custom property with provider_<id>, such as...
provider_1.headerName

When multiple providers are configured, custom properties that have no prefix are ignored.

Required Properties

Property Values Description
headerName Any string value. No default value. headerName or propertyName must be specified. List of header names in the inbound request that the TAI looks for to extract the SAML token. We can specify a single header name or multiple header names separated by a comma or vertical bar character. If both headerName and parameterName are specified, all applicable headers are checked for a SAML token before the parameters. Examples:

headerName=samltoken
headerName=header one, header two
headerName=saml1token|saml2token|saml3token

parameterName Any string value. No default value. propertyName or headerName must be specified. List of parameter names in the inbound request that the TAI looks for to extract the SAML token. We can specify a single parameter name or multiple parameter names separated by a comma or vertical bar character. If both headerName and parameterName are specified, all applicable headers are checked for a SAML token before the parameters. Examples:

parameterName=samltoken
parameterName=param one, param two
parameterName=saml1token|saml2token|saml3token

Optional Properties

Property Values Description
setLtpaCookie

true
false (Default)

Whether the SAML Web inbound TAI must set the LTPA token in the response. By default, the TAI does not set the LTPA cookie in the response.
signatureAlgorithm

SHA128 (Default)
SHA256

Algorithm used to sign the SAML token. If this property specifies SHA256, then the SAML token in the request must be signed with the SHA256 signature algorithm, or the request is rejected.
clockSkew Any positive number. Default is 3 minutes. Allowed clock skew in milliseconds when validating the SAML token.
userIdentifier Default is the NameID attribute of the SAML Subject. Name of the SAML attribute whose value is used as the user ID.

userIdentifier=RunAsUser

mapIdentityToRegistryUser

true
false (Default)

When false, the WebSphere subject is populated with the user and groups specified in the SAML assertion. When true, the SAML Web inbound TAI maps the user from the SAML token to the same user in the WebSphere user registry. This requires that all users be maintained in the WebSphere user registry.
groupIdentifier Any string value. No default value. Name of the SAML attribute whose values are included as group members in the subject.
realmIdentifier By default, this property is set to the SAML Issuer name. Name of the SAML attribute whose value is used as the subject realm. If not specified, the SAML issuer name is used as the realm name.
realmName Any string value. No default value. Realm name to be used for the SAML assertion. If both the realmIdentifier and realmName properties are specified, the realmName property overrides the value of realmIdentifier.
filter No default value. Specify a condition that is checked against the web request to determine whether the request is selected to be processed by the SAML web inbound TAI.
audiences Comma-separated list of URI values. No default value. List of allowed audience URIs that is compared against the list of audience URIs specified by the <AudienceRestriction> element in the SAML assertion. The SAML token validation fails if none of the URIs from this list exists in the SAML assertion. Example:
filter="request-url%=helloworld"
trustStore No default value. Truststore for validating the SAML signature. Name of a managed keystore.
keyStore No default value. Name of the managed keystore containing the private key for decrypting an encrypted SAML assertion.

Operators used in the filter property

Operator Condition Example
== This operator specifies an exact match. The input element must be equal to the comparison value. From==jones@my.company.com
%= This operator specifies a partial match. The input element contains the comparison value. user-agent%=IE 6request-url%=company.com/urlApp1
^= The input element contains one of the comparison values. This is the only operator that can be combined with the | operator. request-url^=urlApp1|urlApp2| urlApp3
!= The input element does not contain the comparison value. request-url!=test105
> The input element is greater than the comparison value. remote-address>192.168.255.130
< The input element is less than the comparison value. remote-address<192.168.255.135
; Logical AND Operator request-url!=test105;From==jones@my.company.com5

There is no logical OR operator we can use with filter properties.

Property	Values	Description
setLtpaCookie	true false (Default)	Whether the SAML Web inbound TAI must set the LTPA token in the response. By default, the TAI does not set the LTPA cookie in the response.
signatureAlgorithm	SHA128 (Default) SHA256	Algorithm used to sign the SAML token. If this property specifies SHA256, then the SAML token in the request must be signed with the SHA256 signature algorithm, or the request is rejected.
clockSkew	Any positive number. Default is 3 minutes.	Allowed clock skew in milliseconds when validating the SAML token.
userIdentifier	Default is the NameID attribute of the SAML Subject.	Name of the SAML attribute whose value is used as the user ID. userIdentifier=RunAsUser
mapIdentityToRegistryUser	true false (Default)	When false, the WebSphere subject is populated with the user and groups specified in the SAML assertion. When true, the SAML Web inbound TAI maps the user from the SAML token to the same user in the WebSphere user registry. This requires that all users be maintained in the WebSphere user registry.
groupIdentifier	Any string value. No default value.	Name of the SAML attribute whose values are included as group members in the subject.
realmIdentifier	By default, this property is set to the SAML Issuer name.	Name of the SAML attribute whose value is used as the subject realm. If not specified, the SAML issuer name is used as the realm name.
realmName	Any string value. No default value.	Realm name to be used for the SAML assertion. If both the realmIdentifier and realmName properties are specified, the realmName property overrides the value of realmIdentifier.
filter	No default value.	Specify a condition that is checked against the web request to determine whether the request is selected to be processed by the SAML web inbound TAI.
audiences	Comma-separated list of URI values. No default value.	List of allowed audience URIs that is compared against the list of audience URIs specified by the <AudienceRestriction> element in the SAML assertion. The SAML token validation fails if none of the URIs from this list exists in the SAML assertion. Example: filter="request-url%=helloworld"
trustStore	No default value.	Truststore for validating the SAML signature. Name of a managed keystore.
keyStore	No default value.	Name of the managed keystore containing the private key for decrypting an encrypted SAML assertion.

Operator	Condition	Example
==	This operator specifies an exact match. The input element must be equal to the comparison value.	From==jones@my.company.com
%=	This operator specifies a partial match. The input element contains the comparison value.	user-agent%=IE 6request-url%=company.com/urlApp1
^=	The input element contains one of the comparison values. This is the only operator that can be combined with the \| operator.	request-url^=urlApp1\|urlApp2\| urlApp3
!=	The input element does not contain the comparison value.	request-url!=test105
>	The input element is greater than the comparison value.	remote-address>192.168.255.130
<	The input element is less than the comparison value.	remote-address<192.168.255.135
;	Logical AND Operator	request-url!=test105;From==jones@my.company.com5