Reference

Specifies which parts of messages the identity provider requires the service provider to sign digitally.

When selected, the service provider must encrypt NameID elements.

Specifies the supported name identifiers for users that are shared between providers for single sign-on.

The following diagram shows how the hosted IDP decides which of the supported NameID formats is used:

Maps name identifier formats to user profile attributes. The persistent and transient name identifiers need not be mapped.

NameID mapping supports Base64-encoded binary values. With this flag set, AM Base64-encodes the profile attribute when adding it to the assertion.

Specifies a class that implements the IDPAuthnContextMapper interface and sets up the authentication context.

Default value: com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper

Specifies the authentication context classes the IDP supports, and any AM authentication mechanisms that are used when an SP specifies the respective class in a SAML v2.0 authentication request.

For more information on authentication context classes, see Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 in the SAML V2.0 Standard.

Default value: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Grace period in seconds for the NotBefore time in assertions.

Validity in seconds of an assertion.

When enabled, authenticate with the specified user name and password at SOAP endpoints.

When enabled, cache assertions.

Specifies a class that implements the attribute mapping.

The default implementation attempts to retrieve the mapped attribute values from the user profile first. If the attribute values are not present in the user's profile, then it attempts to retrieve them from the user's session.

Default: com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper

Maps SAML attributes to user profile attributes.

The user profile attributes used here must both be allowed in user profiles, and also be specified for the identity repository. See "Adding User Profile Attributes", for instructions on allowing additional attributes in user profiles.

To see the profile attributes available for an LDAP identity repository, log in to the AM console as administrator, and go to Realms > Realm Name > Identity Stores > User Configuration. Check the LDAP User Attributes list.

The default IDP mapping implementation allows you to add static values in addition to values taken from the user profile. You add a static value by enclosing the profile attribute name in double quotes ("), as in the following example:

Specifies a class that implements AccountMapper to map remote users to local user profiles.

Disables the storage of the NameID values in the user data store for all NameIDs issued by the IDP instance as long as the NameID format is anything but the persistent NameID format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. That is, you can disable the storage of NameID values with persistent NameID-Format if and only if there is a NameID value mapping set up for the NameID-Format.

Default value: false

If present, overrides the default UI login URL used to authenticate users during federation.

Use this property to specify an alternative URL for authenticating users, for example, if you have created a custom user interface other than the UI.

The specified authentication URL is responsible for authenticating the federated user and must establish a session in AM, and return the SSO token value in the configured cookie name, usually iPlanetDirectoryPro.

The domain of the authentication URL must be configured in AM so that the cookie is accepted, and if host cookies are configured in AM, then the fully qualified domain name of the authentication URL must be identical to that of the AM instance.

For more information on configuring the domains AM accepts in the SSO cookies, see "Configuring the Cookie Domain".

When a reverse proxy is used for SAML endpoints, it is specified here.

URL to which to send an HTTP POST including all cookies when receiving a logout request. To add a user session property as a POST parameter, include it in the URL query string as a appsessionproperty parameter.

Used to locate the provider's entity identifier, specified as [/realm-name]*/provider-name, where provider-name cannot contain slash characters (/). For example: /myRealm/mySubrealm/idp.

Ensure the MetaAlias is unique for each provider configured in a CoT and in the realm.

Specifies the endpoint to manage artifact resolution. The Index is a unique number identifier for the endpoint.

Specifies the endpoints to manage single logout, depending on the SAML binding selected.

Specifies the endpoints to manage name identifiers, depending on the SAML binding selected.

Specifies the endpoints to manage single sign-on.

Specifies the endpoints to request for an specific assertion by referring to its assertion ID.

Specifies the endpoint to manage name identifier mapping.

Specifies the endpoint to manage Secure Attribute Exchange requests.

Specifies how to handle encryption for Secure Attribute Exchange operations.

Specifies the class that finds a valid session from an HTTP servlet request to an identity provider with a SAML Enhanced Client or Proxy profile.

When enabled, the identity provider sends a SOAP logout request over the back channel to all service providers when a session times out. A session may time out when the maximum idle time or maximum session time is reached, for example.

Specifies a class that finds the preferred identity provider to handle a proxied authentication request.

Specifies a JSP that presents the list of identity providers to the user.

When enabled, apply the finder for all remote service providers.

List of URLs permitted for the RelayState parameter. For single logout (SLO) operations, AM validates the redirection URL in the RelayState parameter against this list. If the RelayState parameter's value is in the list, AM allows redirection to the RelayState URL. If it is not in the list, a browser error occurs.

Use the pattern matching rules described in "Configuring Success and Failure Redirection URLs" to specify URLs in the list.

If you DO NOT specify any URLs in this property, AM only allows redirection to RelayState URLs that match the domain of the instance. Any other URL will cause a browser error.

Specifies a class to invoke immediately before sending a SAML v2.0 response.

Specifies which parts of messages the identity provider requires the service provider to sign digitally.

When selected, the service provider must encrypt NameID elements.

Specifies the supported name identifiers for users that are shared between providers for single sign-on.

The information on how a hosted SP determines the NameID format to use, see NameID Format.

When enabled, authenticate with the specified user name and password at SOAP endpoints.

Specifies the endpoint to manage artifact resolution. The Index is a unique identifier for the endpoint.

Specifies the endpoints to manage single logout, depending on the SAML binding selected.

Specifies the endpoints to manage name identifiers, depending on the SAML binding selected.

Specifies the endpoints to manage single sign-on.

Specifies the endpoint to manage name identifier mapping.

Specifies what parts of messages the service provider requires the identity provider to sign digitally.

The identity provider must encrypt selected elements.

Specifies the supported name identifiers for users that are shared between providers for single sign-on.

The following diagram shows how the hosted SP decides which of the supported NameID formats is used:

Disables the storage of NameIDs in the user data store, even if the NameID format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in the received assertion and the account mapper has identified the local user.

You may want to disable storage of NameID values if you are using a read-only data store, or an external identity store that does not have the AM identity schemas applied.

Default value: false

Specifies a class that implements the SPAuthnContextMapper interface and sets up the authentication context.

Default: com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper

Specifies the authentication context classes the SP supports, and any AM authentication mechanisms that are used when an IDP specifies the respective class in a SAML v2.0 authentication request.

For more information on authentication context classes, see Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 in the SAML V2.0 Standard.

Default value: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Used in conjunction with the Default Authentication Context to specify the possible range of authentication mechanisms the IDP can choose from.

For example, if the Comparison Type field is set to better, and the PasswordProtectedTransport authentication context class is selected in the Default Authentication Context field, the IDP must select an authentication mechanism with a higher level assigned.

For information on how AM maps the authentication mechanism to authentication context classes, and how to set the precedence, see Authentication Context.

Default: exact

Specifies whether to include an authentication context class as the Requested Authentication Context in the SAML v2.0 Authentication Request.

Default: Enabled

Grace period in seconds for the NotBefore time in assertions.

When enabled, authenticate with the specified user name and password at SOAP endpoints.

Specifies a class that implements the attribute mapping.

Maps SAML attributes to session properties, or user profile attributes.

When enabled, automatically federate user's accounts at different providers based on the specified SAML attribute.

Specifies the SAML attribute to match accounts at different providers.

Specifies a class that implements AccountMapper to map remote users to local user profiles.

When selected, fall back to using the name identifier from the assertion to find the user.

Specifies the user profile to map all identity provider users when sending transient name identifiers.

Specifies the message encoding format for artifacts.

Specifies the local login URL.

Specifies a URL to which the user is redirected after authentication but before the original URL requested.

Specifies the URL to which to send an HTTP POST including all cookies when receiving a logout request. To add a user session property as a POST parameter, include it in the URL query string as a appsessionproperty parameter.

Specifies the URL to which to redirect users after the request has been handled. Used if not specified in the response.

Specifies a class that implements the FederationSPAdapter interface and performs application specific processing during the federation process.

Specifies environment variables passed to the adapter class.

Used to locate the hosted provider's entity identifier, specified as [/realm-name]*/provider-name, where provider-name can not contain slash characters (/). For example: /myRealm/mySubrealm/sp.

Ensure the MetaAlias is unique for each provider configured in a CoT and in the realm.

Specifies the endpoints to manage single logout, depending on the SAML binding selected.

Specifies the endpoints to manage name identifiers, depending on the SAML binding selected.

Specifies the endpoints to consume assertions, with Index corresponding to the index of the URL in the standard metadata.

The scheme, FQDN, and port configured must exactly match those of the service provider as they appear in its metadata.

To determine the service provider's endpoint URL, AM uses the Base URL service, if configured.

If the URL does not match, the SAML v2.0 flow will fail and AM will log Invalid Assertion Consumer Location specified in the audit log file.

Specifies the endpoint to manage Secure Attribute Exchange requests.

Specifies the endpoint of the service provider that can handle global logout requests.

Specifies how to handle encryption for Secure Attribute Exchange operations.

Specifies a class that returns a list of preferred identity providers trusted by the SAML Enhanced Client or Proxy profile.

Specifies a URI reference used to retrieve the complete identity provider list if the IDPList element is not complete.

Specifies a list of identity providers for the SAML Enhanced Client or Proxy to contact, used by the default implementation of the IDP Finder.

When enabled, AM includes a Scoping element in the authentication request to enable the request to be proxied.

When enabled, use introductions to find the proxy identity provider.

Specifies the maximum number of proxy identity providers.

Specifies a list of URIs identifying preferred proxy identity providers.

When enabled, the service provider sends a SOAP logout request over the back channel to all identity providers when a session times out. A session may time out when the maximum idle time or maximum session time is reached, for example.

List of URLs permitted for the RelayState parameter. AM validates the redirection URL in the RelayState parameter against this list. If the RelayState parameter's value is in the list, AM allows redirection to the RelayState URL. If it is not in the list, a browser error occurs.

Use the pattern matching rules described in "Configuring Success and Failure Redirection URLs" to specify URLs in the list.

If you DO NOT specify any URLs in this property, AM only allows redirection to RelayState URLs that match the domain of the instance. Any other URL will cause a browser error.

Specifies what parts of messages the service provider requires the identity provider to sign digitally.

The identity provider must encrypt selected elements.

Specifies the supported name identifiers for users that are shared between providers for single sign-on.

The information on how a hosted SP determines the NameID format to use, see NameID Format.

Disables the storage of NameID values at the IDP when generating an assertion for this remote SP.

Default value: false

When enabled, require authentication with the specified user name and password at SOAP endpoints.

Override any mappings of attributes to user profile attributes at the IDP.

Specifies the message encoding format for artifacts.

Specifies the endpoints to manage single logout, depending on the SAML binding selected.

Specifies the endpoints to manage name identifiers, depending on the SAML binding selected.

Specifies the endpoints to consume assertions, with Index corresponding to the index of the URL in the standard metadata.

When enabled, AM does not verify Assertion Consumer Service URL values provided in SAML authentication requests. This allows the Assertion Consumer Service URL to contain dynamic query parameters, for example.

As assertion consumer service URL verification is part of the SAML v2.0 spec, you can only skip validation if the authentication request is digitally signed by the SP. To digitally sign authentication requests, in the remote SP configuration navigate to Assertion Content > Signing and Encryption > Request/Response Signing, and select Authentication Requests Signed.

Specifies the endpoint to manage Secure Attribute Exchange requests.

Specifies the endpoint of the service provider that can handle global logout requests.

When enabled, the authentication requests from this service provider can be proxied.

When enabled, AM proxies every authentication request from the SP, whether it contains a Scoping element or not.

The IDP Proxy option must be enabled for this option to take effect.

When enabled, use introduction cookies to find the proxy identity provider.

When enabled, use the IDP finder service to determine the IDP to which to proxy authentication requests.

Specifies the maximum number of proxy identity providers. AM sets the specified value in the Scoping element of authentication request it proxies for this SP.

The Proxy all requests option must be enabled for this option to take effect.

Specifies a list of URIs identifying preferred proxy identity providers.