SAML 2.0 module properties

SAML 2.0 module properties

We can define SAML 2.0 token module self or partner properties.

Appliance property Self or Partner Mode Description

com.tivoli.am.fim.sts.saml.2.0.assertion.replay.validation SELF Validate Whether to enable one-time assertion use enforcement. Set to true to enable one-time use enforcement. Set to false to not enforce one-time assertion use. If the assertion to be validated has <saml:OneTimeUse></saml:OneTimeUse> in the assertion conditions, then the one-time assertion use is enforced even though the property is disabled.

com.tivoli.am.fim.sts.saml.2.0.assertion.verify.signatures PARTNER Validate Whether to enable signature validation. Set to true to enable validation. Set to false to not have validation enabled.

com.tivoli.am.fim.sts.saml.2.0.assertion.signature.use.keyinfo PARTNER Validate Whether to use the KeyInfo of the XML signature to find the X509 certificate for signature validation. Set to true to use this method. Then, define the com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier property. Set to false, otherwise.

com.tivoli.am.fim.sts.saml.2.0.assertion.keystore.alias PARTNER Validate Whether to use the keystore alias to find the public key for signature validation. Set to true to use this method. Then, define the com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.db and com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.cert properties. Set to false, otherwise.

com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier PARTNER Validate Regular expression to validate the subject distinguished name returned in the KeyInfo, if com.tivoli.am.fim.sts.saml.2.0. assertion.signature.use.keyinfo is set to true.
We can either specify this property or specify both of the following properties:

com.tivoli.am.fim.sts.saml.2.0. ValidateKeyIdentifier.db
com.tivoli.am.fim.sts.saml.2.0. ValidateKeyIdentifier.cert
If we specify all of these properties, the keystore alias format overwrites the com.tivoli.am.fim.sts.saml.2.0. ValidateKeyIdentifier property.

com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.db PARTNER Validate Name of the certificate database to use for validation, if com.tivoli.am.fim.sts.saml.2.0.assertion. keystore.alias is set to true.

com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.cert PARTNER Validate Name of the certificate label for validation, if com.tivoli.am.fim.sts.saml.2.0.assertion.keystore.alias is set to true.

com.tivoli.am.fim.sts.saml.2.0.DecryptionKeyIdentifier.db PARTNER Validation Name of the keystore for the decryption key. For example, use DefaultKeyStore.

com.tivoli.am.fim.sts.saml.2.0.DecryptionKeyIdentifier.cert PARTNER Validation Name of decryption key. For example, use testkey.

com.tivoli.am.fim.sts.saml.2.0.WantMultipleAttributeStatements PARTNER Validate Whether to create multiple attribute statements in the Universal User.
If we specify false, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUserdocument. This setting is appropriate for most configurations.

com.tivoli.am.fim.sts.saml.2.0.map.unknown.alias PARTNER Validate Whether to map unknown name identifiers to the anonymous username.

com.tivoli.am.fim.sts.saml.2.0.assertion.default.nameidformat PARTNER Validate Default NameID format for assertion validation. Specify a parameter for use during validation of a SAML assertion. The parameter determines processing rules for the NameID element when one of the following conditions exists:

If there is not an explicit Format attribute included in the assertion.
If the Format attribute is: urn:oasis:names:tc:SAML:1.1: nameid-format:unspecified.
Typically, this parameter is needed only for STS chains that process SAML assertions that do not set the Format attribute. A normal example value is :urn:oasis:names:tc:SAML:1.1: nameid-format:emailAddress

com.tivoli.am.fim.sts.saml.2.0.assertion.issuer SELF Issue, Exchange Name of the organization that issues assertions. This is required.

com.tivoli.am.fim.sts.saml.2.0.assertion.pretime.valid SELF Issue, Exchange Number of seconds that assertions are valid before its issue date. There is no minimum or maximum value enforced, but a value is required.
Default: 60

com.tivoli.am.fim.sts.saml.2.0.assertion.posttime.valid SELF Issue, Exchange Number of seconds that assertions are valid after its issue date. There is no minimum or maximum value enforced, but a value is required.
Default: 60

com.tivoli.am.fim.sts.saml.2.0.assertion.signature.use.inclusive.namespaces PARTNER Issue, Exchange Whether to use the InclusiveNamespaces construct. This means using exclusive XML canonicalization for greater standardization. We must set this parameter without a prefix. Set to true or false.
If unset, the system behaves as if it was set to true.

com.tivoli.am.fim.sts.saml.2.0.assertion.attribute.types PARTNER Issue, Exchange Types of attributes to include in the assertion.
The default, an asterisk (*), includes all the attribute types specified in the identity mapping file.
To specify one or more attribute types individually, enter each attribute type.
Separate multiple type values using &&.

com.tivoli.am.fim.sts.saml.2.0.assertion.sign PARTNER Issue, Exchange Whether SAML assertions must be signed. Set to true to sign assertions. Set to false if signing is not required.

com.tivoli.am.fim.sts.saml.2.0.SigningKeyIdentifier.db PARTNER Issue, Exchange Name of the keystore where the signing key is stored. For example, use DefaultKeyStore.

com.tivoli.am.fim.sts.saml.2.0.signingKeyIdentifier.cert PARTNER Issue, Exchange Name of the signing key identifier. For example, use testkey.

com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.keyid PARTNER Issue, Exchange Whether to include the subject key identifier with your signature. Set to true to include the subject key identifier. Set to false to exclude the subject key identifier.

com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.public.key PARTNER Issue, Exchange Whether to include the public key with your signature. Set to Yes to include the public key. Set to No to exclude the public key.

com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.issuer.details PARTNER Issue, Exchange Whether to include the issuer details with your signature. Set to Yes to include the issuer details. Set to No to exclude the issuer details.

com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.name PARTNER Issue, Exchange Whether to include the subject name with your signature. Set to Yes to include the subject name. Set to No to exclude the subject name.

com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.cert.data PARTNER Issue, Exchange Whether to include the certificate data with your signature. Set to Yes to include the certificate data. Set to No to exclude the certificate data.
If none of the assertion.signature.include.* properties are set, the system behaves as if com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.cert.data is set to true.

com.tivoli.am.fim.sts.saml.2.0.SignatureAlgorithm PARTNER Issue, Exchange Signature algorithm to use for signing assertions. Valid values:

RSA-SHA1, set to http://w ww.w3.org/2000/09/xmldsig#rsa-sha1
DSA-SHA1, set to http://w ww.w3.org/2000/09/xmldsig#dsa-sha1
RSA-SHA256, set to http:// www.w3.org/2001/04/xmldsig-more#rsa-sha256

com.tivoli.am.fim.sts.saml.2.0. DigestAlgorithm PARTNER Issue, Exchange Digest algorithm used to sign SAML messages. Valid values:

SHA1, set to http://www.w3.org/2000/09/xmldsig#sha1
SHA256, set to http://www.w3.org/2001/04/xmlenc#sha256
SHA512, set to http://www.w3.org/2001/04/xmlenc#sha512

com.tivoli.am.fim.sts.saml.2.0.EncryptAssertions PARTNER Issue, Exchange Whether assertions are to be encrypted. Set to true to encrypt. Set to false, if no encryption is required. .

com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyIdentifier.db PARTNER Issue, Exchange Name of the keystore where the encryption key is stored. For example, use DefaultKeyStore.

com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyIdentifier.cert PARTNER Issue, Exchange Name of the encryption key. For example, use testkey.

com.tivoli.am.fim.sts.saml.2.0.EncryptAllAttributes PARTNER Issue, Exchange Whether all Attribute elements within the assertions are to be encrypted. Set to true to encrypt. Set to false if no encryption is required.

com.tivoli.am.fim.sts.saml.2.0.EncryptNameIdentifiers PARTNER Issue, Exchange Whether NameID elements in the assertions are to be encrypted. Set to true to encrypt. Set to false if no encryption is required.

com.tivoli.am.fim.sts.saml.2.0.BlockEncryptionAlgorithm PARTNER Issue, Exchange Block encryption algorithm.

TRIPLEDES, set to http://www.w3.org/2001/04/xmlenc#tripledes-cbc
AES-128, set to http://www.w3.org/2001/04/xmlenc#aes128-cbc
AES-192, set to http://www.w3.org/2001/04/xmlenc#aes192-cbc
AES-256, set to http://www.w3.org/2001/04/xmlenc#aes256-cbc

com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyTransportAlgorithm PARTNER Issue, Exchange Key transport algorithm used to encrypt SAML messages. Valid values are:

RSA-v1.5, set to http://www.w3.org/2001/04/xmlenc#rsa-1_5
RSA-OAEP, set to http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p

com.tivoli.am.fim.sts.saml.2.0.assertion.SubjectConfirmationMethod PARTNER Issue, Exchange Subject confirmation method. Valid values:

urn:oasis:names:tc:SAML:2.0:cm:bearer
urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
urn:oasis:names:tc:SAML:2.0:cm:sender-vouches

Parent topic: Token module properties

Appliance property	Self or Partner	Mode	Description
com.tivoli.am.fim.sts.saml.2.0.assertion.replay.validation	SELF	Validate	Whether to enable one-time assertion use enforcement. Set to true to enable one-time use enforcement. Set to false to not enforce one-time assertion use. If the assertion to be validated has <saml:OneTimeUse></saml:OneTimeUse> in the assertion conditions, then the one-time assertion use is enforced even though the property is disabled.
com.tivoli.am.fim.sts.saml.2.0.assertion.verify.signatures	PARTNER	Validate	Whether to enable signature validation. Set to true to enable validation. Set to false to not have validation enabled.
com.tivoli.am.fim.sts.saml.2.0.assertion.signature.use.keyinfo	PARTNER	Validate	Whether to use the KeyInfo of the XML signature to find the X509 certificate for signature validation. Set to true to use this method. Then, define the com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier property. Set to false, otherwise.
com.tivoli.am.fim.sts.saml.2.0.assertion.keystore.alias	PARTNER	Validate	Whether to use the keystore alias to find the public key for signature validation. Set to true to use this method. Then, define the com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.db and com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.cert properties. Set to false, otherwise.
com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier	PARTNER	Validate	Regular expression to validate the subject distinguished name returned in the KeyInfo, if com.tivoli.am.fim.sts.saml.2.0. assertion.signature.use.keyinfo is set to true. We can either specify this property or specify both of the following properties: com.tivoli.am.fim.sts.saml.2.0. ValidateKeyIdentifier.db com.tivoli.am.fim.sts.saml.2.0. ValidateKeyIdentifier.cert If we specify all of these properties, the keystore alias format overwrites the com.tivoli.am.fim.sts.saml.2.0. ValidateKeyIdentifier property.
com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.db	PARTNER	Validate	Name of the certificate database to use for validation, if com.tivoli.am.fim.sts.saml.2.0.assertion. keystore.alias is set to true.
com.tivoli.am.fim.sts.saml.2.0.ValidateKeyIdentifier.cert	PARTNER	Validate	Name of the certificate label for validation, if com.tivoli.am.fim.sts.saml.2.0.assertion.keystore.alias is set to true.
com.tivoli.am.fim.sts.saml.2.0.DecryptionKeyIdentifier.db	PARTNER	Validation	Name of the keystore for the decryption key. For example, use DefaultKeyStore.
com.tivoli.am.fim.sts.saml.2.0.DecryptionKeyIdentifier.cert	PARTNER	Validation	Name of decryption key. For example, use testkey.
com.tivoli.am.fim.sts.saml.2.0.WantMultipleAttributeStatements	PARTNER	Validate	Whether to create multiple attribute statements in the Universal User. If we specify false, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUserdocument. This setting is appropriate for most configurations.
com.tivoli.am.fim.sts.saml.2.0.map.unknown.alias	PARTNER	Validate	Whether to map unknown name identifiers to the anonymous username.
com.tivoli.am.fim.sts.saml.2.0.assertion.default.nameidformat	PARTNER	Validate	Default NameID format for assertion validation. Specify a parameter for use during validation of a SAML assertion. The parameter determines processing rules for the NameID element when one of the following conditions exists: If there is not an explicit Format attribute included in the assertion. If the Format attribute is: urn:oasis:names:tc:SAML:1.1: nameid-format:unspecified. Typically, this parameter is needed only for STS chains that process SAML assertions that do not set the Format attribute. A normal example value is :urn:oasis:names:tc:SAML:1.1: nameid-format:emailAddress
com.tivoli.am.fim.sts.saml.2.0.assertion.issuer	SELF	Issue, Exchange	Name of the organization that issues assertions. This is required.
com.tivoli.am.fim.sts.saml.2.0.assertion.pretime.valid	SELF	Issue, Exchange	Number of seconds that assertions are valid before its issue date. There is no minimum or maximum value enforced, but a value is required. Default: 60
com.tivoli.am.fim.sts.saml.2.0.assertion.posttime.valid	SELF	Issue, Exchange	Number of seconds that assertions are valid after its issue date. There is no minimum or maximum value enforced, but a value is required. Default: 60
com.tivoli.am.fim.sts.saml.2.0.assertion.signature.use.inclusive.namespaces	PARTNER	Issue, Exchange	Whether to use the InclusiveNamespaces construct. This means using exclusive XML canonicalization for greater standardization. We must set this parameter without a prefix. Set to true or false. If unset, the system behaves as if it was set to true.
com.tivoli.am.fim.sts.saml.2.0.assertion.attribute.types	PARTNER	Issue, Exchange	Types of attributes to include in the assertion. The default, an asterisk (*), includes all the attribute types specified in the identity mapping file. To specify one or more attribute types individually, enter each attribute type. Separate multiple type values using &&.
com.tivoli.am.fim.sts.saml.2.0.assertion.sign	PARTNER	Issue, Exchange	Whether SAML assertions must be signed. Set to true to sign assertions. Set to false if signing is not required.
com.tivoli.am.fim.sts.saml.2.0.SigningKeyIdentifier.db	PARTNER	Issue, Exchange	Name of the keystore where the signing key is stored. For example, use DefaultKeyStore.
com.tivoli.am.fim.sts.saml.2.0.signingKeyIdentifier.cert	PARTNER	Issue, Exchange	Name of the signing key identifier. For example, use testkey.
com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.keyid	PARTNER	Issue, Exchange	Whether to include the subject key identifier with your signature. Set to true to include the subject key identifier. Set to false to exclude the subject key identifier.
com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.public.key	PARTNER	Issue, Exchange	Whether to include the public key with your signature. Set to Yes to include the public key. Set to No to exclude the public key.
com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.issuer.details	PARTNER	Issue, Exchange	Whether to include the issuer details with your signature. Set to Yes to include the issuer details. Set to No to exclude the issuer details.
com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.subject.name	PARTNER	Issue, Exchange	Whether to include the subject name with your signature. Set to Yes to include the subject name. Set to No to exclude the subject name.
com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.cert.data	PARTNER	Issue, Exchange	Whether to include the certificate data with your signature. Set to Yes to include the certificate data. Set to No to exclude the certificate data. If none of the assertion.signature.include.* properties are set, the system behaves as if com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.cert.data is set to true.
com.tivoli.am.fim.sts.saml.2.0.SignatureAlgorithm	PARTNER	Issue, Exchange	Signature algorithm to use for signing assertions. Valid values: RSA-SHA1, set to http://w ww.w3.org/2000/09/xmldsig#rsa-sha1 DSA-SHA1, set to http://w ww.w3.org/2000/09/xmldsig#dsa-sha1 RSA-SHA256, set to http:// www.w3.org/2001/04/xmldsig-more#rsa-sha256
com.tivoli.am.fim.sts.saml.2.0. DigestAlgorithm	PARTNER	Issue, Exchange	Digest algorithm used to sign SAML messages. Valid values: SHA1, set to http://www.w3.org/2000/09/xmldsig#sha1 SHA256, set to http://www.w3.org/2001/04/xmlenc#sha256 SHA512, set to http://www.w3.org/2001/04/xmlenc#sha512
com.tivoli.am.fim.sts.saml.2.0.EncryptAssertions	PARTNER	Issue, Exchange	Whether assertions are to be encrypted. Set to true to encrypt. Set to false, if no encryption is required. .
com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyIdentifier.db	PARTNER	Issue, Exchange	Name of the keystore where the encryption key is stored. For example, use DefaultKeyStore.
com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyIdentifier.cert	PARTNER	Issue, Exchange	Name of the encryption key. For example, use testkey.
com.tivoli.am.fim.sts.saml.2.0.EncryptAllAttributes	PARTNER	Issue, Exchange	Whether all Attribute elements within the assertions are to be encrypted. Set to true to encrypt. Set to false if no encryption is required.
com.tivoli.am.fim.sts.saml.2.0.EncryptNameIdentifiers	PARTNER	Issue, Exchange	Whether NameID elements in the assertions are to be encrypted. Set to true to encrypt. Set to false if no encryption is required.
com.tivoli.am.fim.sts.saml.2.0.BlockEncryptionAlgorithm	PARTNER	Issue, Exchange	Block encryption algorithm. TRIPLEDES, set to http://www.w3.org/2001/04/xmlenc#tripledes-cbc AES-128, set to http://www.w3.org/2001/04/xmlenc#aes128-cbc AES-192, set to http://www.w3.org/2001/04/xmlenc#aes192-cbc AES-256, set to http://www.w3.org/2001/04/xmlenc#aes256-cbc
com.tivoli.am.fim.sts.saml.2.0.EncryptionKeyTransportAlgorithm	PARTNER	Issue, Exchange	Key transport algorithm used to encrypt SAML messages. Valid values are: RSA-v1.5, set to http://www.w3.org/2001/04/xmlenc#rsa-1_5 RSA-OAEP, set to http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
com.tivoli.am.fim.sts.saml.2.0.assertion.SubjectConfirmationMethod	PARTNER	Issue, Exchange	Subject confirmation method. Valid values: urn:oasis:names:tc:SAML:2.0:cm:bearer urn:oasis:names:tc:SAML:2.0:cm:holder-of-key urn:oasis:names:tc:SAML:2.0:cm:sender-vouches