Versions Compared

Old Version 19

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 20

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

XML element

Name

Use

Description

audienceUris

Audience URI

Required

The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token

certificateStores

Trusted certificate store

Required

The list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token.
If the file location is not fully qualified it needs to be relative to the Container home directory

trustedIssuers

Trusted Issuers

Required

There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust)

maximumClockSkew

Maximum Clock Skew

Optional

Maximum allowable time difference between the system clocks of the IDP and RP.
Default 5 seconds.

tokenReplayCache

Token Replay Cache

Optional

The TokenReplayCache implementation to use to cache tokens. The default is an implementation based on EHCache.

signingKey

Key for Signature

Optional

If configured, the published (WS-Federation) Metadata document is signed by this key. Otherwise, not signed.

WS-Federation protocol configuration reference

XML element

Name

Use

Metadata

Description

issuer

Issuer URL

Required

PassiveRequestorEndpoint

This URL defines the location of the IDP to whom unauthenticated requests are redirected

realm

Realm

Optional

TargetScope

Security realm of the Relying Party / Application. This value is part of the SignIn request as the wtrealm parameter.
Default: URL including the Servlet Context

authenticationType

Authentication Type

Optional

NA

The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter wauth)
The WS-Federation standard defines a list of predefined URIs for wauth here.

roleURI

Role Claim URI

Optional

NA

Defines the attribute name of the SAML token which contains the roles.
Required for Role Based Access Control.

roleDelimiter

Role Value Delimiter

Optional

NA

There are different ways to encode multi value attributes in SAML.

  • Single attribute with multiple values
  • Several attributes with the same name but only one value
  • Single attribute with single value. Roles are delimited by roleDelimiter

claimTypesRequested

Requested claims

Optional

ClaimTypesRequested

The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail

homeRealm

Home Realm

Optional

NA

Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the whr parameter

freshness

Freshness

Optional

NA

The desired "freshness" of the token from the IdP. This information is provided in the SignInRequest to the IdP (paramater wfresh)

tokenValidators

TokenValidators

Optional

NA

Custom Token validator classes can be configured here. The SAML Token validator is enabled by default.
See example here

signingKey

Key for Signature

Optional

Metadata signature

If configured, the published WS-Federation Metadata document is signed by this key. Otherwise, not signed.

Attributes resolved at runtime

...