Excluding elements from a WS-FED Request Security Token Response
The default configuration of an ISAM WS-Federation federation specifies a list of elements to exclude from the WS-Federation request security token response (RSTR). This default configuration enables WS-Federation single sign-on to work in the majority of scenarios, such as single sign-on to an ISAM appliance, and single sign-on to a Microsoft SharePoint deployment.
The custom property wsfed.idp.rstr.excluded.elements is used to exclude a comma-separated list of elements. The elements that are excluded by default are "Forwardable", "Delegatable", "Status", and "Renewing". The LMI displays the default custom property wsfed.idp.rstr.excluded.elements with the following value:
default=Forwardable,Delegatable,Status,Renewing
Certain applications require a different set of excluded elements. For these cases, we can use the ISAM Advanced Configuration feature to set a custom property to specify the set of elements. Specify the federation realm for which your set applies. Optionally, we can also set elements of a per-partner basis for the federation.
We can use the following syntax to specify elements are needed:
default=<comma_separated_list_of_elements>:<federation_realm>=<comma_separated_list_of_elements>: <federation_realm>%<partner_realm>=<comma_separated_list_of_elements>
For example, if a federation requires the only excluded elements are Forwardable and Delegatable, we can modify the custom property. For this example, to modify the custom property for a federation fed1 with a realm fed1-REALM, set the custom property as follows:
default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,Delegatable
We can also modify the custom property to allow for requirements specific to a federation partner.
For example, if federation fed1 from the example above has a partner partner1 with a realm of partner1-REALM, and this partner allows only the Status element to be excluded, we can set the custom property wsfed.idp.rstr.excluded.elements as follows:
default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,Delegatable: fed1-REALM%partner1-REALM=Status
For information on how to use the LMI Advanced Configuration menu to set custom properties, see Manage advanced configuration.
Parent topic: WS-Federation federations