SAML Identity Asserter V2: asserting party: Configuration

Configure an asserting party that can generate SAML assertions consumed by this SAML identity assertion provider.

Configuration Options

Name Description
Partner ID The asserting party ID.
Description Description of this asserting party.

MBean Attribute:

    SAMLIdentityAsserterV2MBean.Description

Changes take effect after you redeploy the module or restart the server.

Enabled Whether this asserting party can be used to obtain SAML assertions.
Profile The SAML profile used with this partner: one of Browser/Artifact, Browser/POST, WSS/Sender-Vouches, or WSS/Holder-of-Key.
Target URL The target URL of this SAML asserting party.
POST Signing Certificate Alias The alias of the certificate trusted for verifying signatures on SAML protocol elements from this asserting party. Must be set for Browser/POST profile
Partner Source Site ID The Source ID of the SAML Source Site represented by this Asserting Party. Used for Browser/Artifact profile only, to look up the partner configuration corresponding to an artifact that has been received.
Assertion Retrieval URL The Assertion Retrieval Service (ARS) URL of the SAML Source Site represented by this configuration. Used with Browser/Artifact profile only, to retrieve the assertion corresponding to an artifact.
Assertion Retrieval Username An optional user name used to authenticate when connecting to the ARS URL.
Assertion Retrieval Password An optional password used to authenticate when connecting to the ARS URL.
Source Site Redirect URIs An optional set of URIs from which unauthenticated users will be redirected to the configured ITS URL. If set, the IntersiteTransferURL must also be set.
Source Site ITS URL The Intersite Transfer Service (ITS) URL of the SAML Source Site for this asserting party.

Used with SSO profiles only, to support the destination site first scenario, whereby a user tries to access a destination site URL prior to being authenticated and is redirected to the source site to be authenticated and obtain a SAML assertion. The Redirect URIs attribute must also be configured for source-site redirection to work.

Source Site ITS Parameters Optionally, zero or more query parameters, of the form name=value, that will be added to the ITS URL when redirecting to the source site.
Issuer URI The issuer URI of the SAML Authority issuing assertions for this SAML asserting party.
Audience URI An optional set of SAML Audience URIs. If set, an incoming assertion must contain at least one of the specified URIs in order to be considered valid.
Signature Required If true, assertions must be signed. If false, signature elements are not required, but will be verified if present.
Assertion Signing Certificate Alias The alias of the certificate trusted for verifying signatures on assertions from this asserting party. This must be set if Signature Required is true. The certificate must also be registered in the SAML Identity Asserter's certificate registry.
Name of Mapper Class The name mapper class of this SAML Identity Asserter Version 2 asserting party.
Process Groups Attribute Indicates whether the SAML Identity Asserter should look for a SAML AttributeStatement containing group names when processing an incoming assertion. Default value is false.
Allow Virtual Users Indicates whether the SAML Identity Asserter is allowed to create user/group principals for the user represented by an incoming assertion.

If true, the SAML Authentication provider should also be configured for the realm. This setting enables the SAML Identity Asserter to create user/group principals, with the possible result that the user is logged in as a virtual user -- a user that does not correspond to any locally-known user. If false, the SAML Identity Asserter will not create user/group principals for the user, and identity assertion will fail unless the user is authenticated by some other authentication provider, indicating that the user name corresponds to a known local user.

Related Tasks

Related Topics