...
XML element | Name | Use | Description |
---|---|---|---|
audienceUris | Audience URI | Required | The values of the list of audience URIs are verified against the element |
certificateStores | Trusted certificate store | Required | The list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token. |
trustedIssuers | Trusted Issuers | Required | There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP ( |
maximumClockSkew | Maximum Clock Skew | Optional | Maximum allowable time difference between the system clocks of the IDP and RP. |
tokenReplayCache | Token Replay Cache | Optional | The TokenReplayCache ReplayCache implementation to use to cache tokens. The default is an implementation based on EHCache. |
signingKey | Key for Signature | Optional | If configured, the published (WS-Federation) Metadata document is signed by this key. Otherwise, not signed. |
tokenDecryptionKey | Decryption Key | Optional | A Keystore used to decrypt an encrypted token. |
tokenExpirationValidation | Token Expiration Validation | Optional | Decision whether the token validation (e.g. lifetime) shall be performed on every request (true) or only once at initial authentication (false). The default is "false". |
...
XML element | Name | Use | Metadata | Description |
---|---|---|---|---|
issuer | Issuer URL | Required | PassiveRequestorEndpoint | This URL defines the location of the IDP to whom unauthenticated requests are redirected |
realm | Realm | Optional | TargetScope | Security realm of the Relying Party / Application. This value is part of the SignIn request as the |
authenticationType | Authentication Type | Optional | NA | The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter |
roleURI | Role Claim URI | Optional | NA | Defines the attribute name of the SAML token which contains the roles. |
roleDelimiter | Role Value Delimiter | Optional | NA | There are different ways to encode multi value attributes in SAML.
|
claimTypesRequested | Requested claims | Optional | ClaimTypesRequested | The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail |
homeRealm | Home Realm | Optional | NA | Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the |
freshness | Freshness | Optional | NA | The desired "freshness" of the token from the IdP. This information is provided in the SignInRequest to the IdP (parameter |
request | Request | Optional | NA | This value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP. |
tokenValidators | TokenValidators | Optional | NA | Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. |
Attributes resolved at runtime
...