...
XML element | Use | Metadata | Description |
---|---|---|---|
applicationServiceURL | Optional | entityID | Used to set the "entityID" for the Metadata. If not specified, the context path of the application is used instead. |
roleDelimiter | Optional | NA | There are different ways to encode multi value attributes in SAML:
|
roleURI | Optional | NA | Defines the attribute name of the SAML token which contains the roles. Required for Role Based Access Control. Typically this is configured with the value "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role". |
claimTypesRequested | Optional | ClaimTypesRequested (WS-Fed) / RequestedAttribute (SAML SSO) | The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail. |
issuer | Required | NA | This URL defines the location of the IDP to whom unauthenticated requests are redirected. |
realm | Optional | NA | Security realm of the Relying Party / Application. For WS-Federation, this value is part of the SignIn request as the |
tokenValidators | Optional | NA | Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. See example here. |
metadataURI | Optional | NA | The URI where Metadata is served. The default is "FederationMetadata/2007-06/FederationMetadata.xml" for WS-Federation and "SAML/Metadata.xml" for SAML SSO. |
reply | Optional | NA | The value to send to the IdP in the "wreply" parameter. |
authenticationType | Optional | NA | The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter |
homeRealm | Optional | NA | Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the |
freshness | Optional | NA | The desired "freshness" of the token from the IdP. This information is provided in the SignInRequest to the IdP (parameter |
request | Optional | NA | This value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP. |
signInQuery | Optional | NA | Additional queries to be appended to the sign-in URL. |
signOutQuery | Optional | NA | Additional queries to be appended to the sign-out URL. |
...
XML element | Use | Metadata | Description |
---|---|---|---|
applicationServiceURL | Optional | entityID | Used to set the "entityID" for the Metadata. If not specified, the context path of the application is used instead. |
roleDelimiter | Optional | NA | There are different ways to encode multi value attributes in SAML:
|
roleURI | Optional | NA | Defines the attribute name of the SAML token which contains the roles. Required for Role Based Access Control. Typically this is configured with the value "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role". |
claimTypesRequested | Optional | ClaimTypesRequested (WS-Fed) / RequestedAttribute (SAML SSO) | The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail. |
issuer | Required | NA | This URL defines the location of the IDP to whom unauthenticated requests are redirected. |
realm | Optional | NA | Security realm of the Relying Party / Application. For WS-Federation, this value is part of the SignIn request as the |
tokenValidators | Optional | NA | Custom Token validator classes can be configured here. The SAML Token validator is enabled by default. See example here. |
metadataURI | Optional | NA | The URI where Metadata is served. The default is "FederationMetadata/2007-06/FederationMetadata.xml" for WS-Federation and "SAML/Metadata.xml" for SAML SSO. |
reply | Optional | NA | The value for the AssertionConsumerService URL in the AuthnRequest |
signRequest | Optional | NA | Whether to sign the AuthnRequest or not. The default is false. |
authnRequestBuilder | Optional | NA | A SAMLPRequestBuilder instance used to build the AuthnRequest/LogoutRequest. The default is here. |
disableDeflateEncoding | Optional | NA | Whether to disable deflate encoding or not. The default is "false". |
doNotEnforceKnownIssuer | Optional | NA | Whether to not enforce that the issuer of the SAML Response is a known value. The default it false (meaning that it is enforced). |
issuerLogoutURL | Optional | NA | The logout URL to redirect to. If not specified it falls back to the Issuer URL. |
checkClientAddress | Optional | NA | Whether to check the client address against the subject confirmation data address. The default is true. |
...
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FedizConfig> <contextConfig name="/fedizhelloworld"> <audienceUris> <audienceItem>https://localhost:8443/fedizhelloworld</audienceItem> </audienceUris> <certificateStores> <keyStore file="conf/stsstore.jks" password="stsspass" type="JKS" /> </certificateStores> <maximumClockSkew>10</maximumClockSkew> <trustedIssuers> <issuer certificateValidation="PeerTrust" /> </trustedIssuers> <signingKey keyPassword="tompass"> <keyStore file="tomcatKeystore.jks" password="tompass" type="JKS" /> </signingKey> <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="federationProtocolType" version="1.2"> <issuer>https://localhost:9443/fediz-idp/federation/</issuer> <roleDelimiter>,</roleDelimiter> <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> <claimTypesRequested> <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" optional="true" /> </claimTypesRequested> <authenticationType type="String" value="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/smartcard" /> <homeRealm type="Class" value="example.HomeRealmCallbackHandler" /> <tokenValidators> <validator>org.apache.cxf.fediz.core.CustomValidator</validator> </tokenValidators> </protocol> </contextConfig> </FedizConfig> |
...