HostedSaml2EntityProvider
Realm Operations
Allows the management of hosted SAML2 entity providers.
Resource path:
/realm-config/saml2/hosted
Resource version: 1.0
create
create.description
Usage
am> create HostedSaml2EntityProvider --realm Realm --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-07/schema#", "ignoredProperties" : [ "_id", "_rev" ], "description" : "This schema describes a hosted SAML2 entity provider.", "title" : "SAML2 Hosted Entity Provider", "type" : "object", "properties" : { "entityId" : { "type" : "string" }, "identityProvider" : { "title" : "Identity Provider", "description" : "This schema describes a SAML2 identity provider.", "type" : "object", "traverseObject" : true, "properties" : { "assertionContent" : { "propertyOrder" : 0, "title" : "Assertion Content", "type" : "object", "traverseObject" : true, "properties" : { "signingAndEncryption" : { "traverseObject" : true, "title" : "Signing And Encryption", "type" : "object", "properties" : { "requestResponseSigning" : { "traverseObject" : true, "title" : "Request/Response Signing", "description" : "Select the checkbox for each request/response that should be signed", "type" : "object", "properties" : { "authenticationRequest" : { "attributePath" : { "value" : "/wantAuthnRequestsSigned" }, "title" : "Authentication Request", "type" : "boolean", "default" : false }, "artifactResolve" : { "attributeKey" : "wantArtifactResolveSigned", "title" : "Artifact Resolve", "type" : "boolean", "default" : false }, "logoutRequest" : { "attributeKey" : "wantLogoutRequestSigned", "title" : "Logout Request", "type" : "boolean", "default" : false }, "logoutResponse" : { "attributeKey" : "wantLogoutResponseSigned", "title" : "Logout Response", "type" : "boolean", "default" : false }, "manageNameIdRequest" : { "attributeKey" : "wantMNIRequestSigned", "title" : "Manage NameID Request", "type" : "boolean", "default" : false }, "manageNameIdResponse" : { "attributeKey" : "wantMNIResponseSigned", "title" : "Manage NameID Response", "type" : "boolean", "default" : false } }, "required" : [ "authenticationRequest", "artifactResolve", "logoutRequest", "logoutResponse", "manageNameIdRequest", "manageNameIdResponse" ] }, "encryption" : { "traverseObject" : true, "title" : "Encryption", "type" : "object", "properties" : { "nameIdEncryption" : { "attributeKey" : "wantNameIDEncrypted", "title" : "NameID Encryption", "type" : "boolean", "default" : false } }, "required" : [ "nameIdEncryption" ] }, "secretIdAndAlgorithms" : { "traverseObject" : true, "title" : "Secret ID And Algorithms", "type" : "object", "properties" : { "secretIdIdentifier" : { "type" : "string", "attributeKey" : "secretIdIdentifier", "title" : "Secret ID Identifier", "description" : "This identifier determines the secret ID for this entity provider when resolving secrets. For example when this value is set to \"demo\", the entity provider will use am.applications.federation.entity.providers.saml2.demo.signing and am.applications.federation.entity.providers.saml2.demo.encryption secret IDs to resolve the signing and encryption secrets. When left unspecified, AM will use the entity provider role (service provider, identity provider, etc.) specific default global secret IDs. When the secret ID identifier for a given role is modified, the corresponding mapping is removed if it isnât referenced by other entities." }, "signingAlgorithm" : { "title" : "Signing Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.SigningAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ] } }, "digestAlgorithm" : { "title" : "Digest Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.DigestAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ] } }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "type" : "array", "attributeKey" : { "value" : "encryptionAlgorithms", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EncryptionAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ], "enumNames" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ] } } } } } }, "nameIdFormat" : { "traverseObject" : true, "title" : "NameID Format", "type" : "object", "properties" : { "nameIdFormatList" : { "description" : "List of NameID formats the requestor will use to contact. Order listed shows the order of preference", "title" : "NameID Format List", "attributePath" : { "value" : "/nameIDFormat" }, "type" : "array", "items" : { "type" : "string" }, "default" : [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" ] }, "nameIdValueMap" : { "attributeKey" : { "value" : "nameIDFormatMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.NameIdValueMapper" }, "description" : "Defines mapping between the NameID format and user's profile attribute. Example <code>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</code> or <code>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent=objectGUID;binary</code>. If the defined NameID format is used in protocol, the profile attribute value will be used as NameID value for the format in the Subject, the <code>;binary</code> flag can be used to indicate that the profile attribute is binary and should be Base64 encoded when used as the NameID value.", "title" : "NameID Value Map", "type" : "array", "items" : { "type" : "object", "properties" : { "key" : { "title" : "Key", "propertyOrder" : 0, "type" : "string" }, "value" : { "title" : "Value", "propertyOrder" : 1, "type" : "string" }, "binary" : { "title" : "Binary", "propertyOrder" : 2, "type" : "boolean" } } }, "default" : [ { "key" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "value" : "mail", "binary" : false } ] } } }, "authenticationContext" : { "title" : "Authentication Context", "type" : "object", "traverseObject" : true, "properties" : { "authenticationContextMapper" : { "attributeKey" : "idpAuthncontextMapper", "title" : "Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper" }, "authContextItems" : { "title" : "Authentication Context", "description" : "Defines mapping between SP requested Authentication Context Reference and IDP authentication scheme and authentication level.", "type" : "array", "attributeKey" : { "value" : "idpAuthncontextClassrefMapping", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.IdpAuthContextMapper" }, "items" : { "type" : "object", "properties" : { "contextReference" : { "propertyOrder" : 0, "title" : "Context Reference", "anyOf" : [ { "title" : "Predefined Reference", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol", "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession", "urn:oasis:names:tc:SAML:2.0:ac:classes:X.509", "urn:oasis:names:tc:SAML:2.0:ac:classes:PGP", "urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig", "urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard", "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient", "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken", "unspecified" ], "enumNames" : [ "InternetProtocol", "InternetProtocolPassword", "Kerberos", "MobileOneFactorUnregistered", "MobileTwoFactorUnregistered", "MobileOneFactorContract", "MobileTwoFactorContract", "Password", "PasswordProtectedTransport", "PreviousSession", "X.509", "PGP", "SPKI", "XMLDSig", "Smartcard", "SmartcardPKI", "SoftwarePKI", "Telephony", "NomadTelephony", "PersonalTelephony", "AuthenticatedTelephony", "SecureRemotePassword", "TLSClient", "TimeSyncToken", "unspecified" ] }, { "title" : "Custom Reference", "type" : "string" } ] }, "key" : { "propertyOrder" : 1, "type" : "string", "title" : "Key", "enum" : [ "service", "module", "user", "role", "authlevel" ], "enumNames" : [ "Service", "Module", "User", "Role", "Authentication Level" ] }, "value" : { "propertyOrder" : 2, "title" : "Value", "type" : "string" }, "level" : { "propertyOrder" : 3, "title" : "Level", "type" : "integer", "minimum" : 0 } } }, "default" : [ { "contextReference" : "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "level" : "0" } ] } } }, "assertionTime" : { "traverseObject" : true, "title" : "Assertion Time", "type" : "object", "properties" : { "notBeforeTimeSkew" : { "attributeKey" : "assertionNotBeforeTimeSkew", "title" : "Not-Before Time Skew", "type" : "integer", "minimum" : 0, "default" : 600, "description" : "Is in seconds. This is the skew time for NotBefore attributes in assertion" }, "effectiveTime" : { "attributeKey" : "assertionEffectiveTime", "title" : "Effective Time", "type" : "integer", "minimum" : 0, "description" : "Is in seconds. Validity time of assertion for NotAfter attributes", "default" : 600 } } }, "basicAuthentication" : { "traverseObject" : true, "description" : "Configure basic authentication setting for Soap based binding", "title" : "Basic Authentication", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "basicAuthOn", "title" : "Enabled", "type" : "boolean", "default" : false }, "userName" : { "attributeKey" : "basicAuthUser", "title" : "User Name", "type" : "string" }, "password" : { "title" : "Password", "attributeKey" : { "value" : "basicAuthPassword", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.PasswordMapper" }, "type" : "string", "format" : "password" } } }, "assertionCache" : { "traverseObject" : true, "type" : "object", "title" : "Assertion Cache", "properties" : { "enabled" : { "attributeKey" : "assertionCacheEnabled", "description" : "Enable assertion cache", "title" : "Enabled", "type" : "boolean", "default" : false } } } } }, "assertionProcessing" : { "propertyOrder" : 1, "title" : "Assertion Processing", "type" : "object", "traverseObject" : true, "properties" : { "attributeMapper" : { "title" : "Attribute Mapper", "type" : "object", "traverseObject" : true, "properties" : { "attributeMapper" : { "attributeKey" : "idpAttributeMapper", "title" : "Attribute Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper" }, "attributeMapperScript" : { "attributeKey" : "idpAttributeMapperScript", "title" : "Attribute Mapper Script", "description" : "Script for mapping attributes. If a script is not selected, the specified attribute mapper Java Class will be used.", "type" : "string", "default" : "[Empty]" }, "attributeMap" : { "title" : "Attribute Map", "description" : "This mapping is the configuration used by the Attribute Mapper. The mapping should be defined as [NameFormatURI|]SAML ATTRIBUTE NAME=PROFILE ATTRIBUTE NAME in assertion. Example: EmailAddress=mail, Address=postaladdress, urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn The mapper also allows for static values to be defined. To define a static value, enclose the profile attribute name in double quotes. Example: partnerID=\"staticPartnerIDValue\", urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\". To flag an attribute as being a binary value and have its value Base64 encoded, add ;binary to the end of the profile attribute name. Example: photo=photo;binary, urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary", "type" : "array", "attributeKey" : { "value" : "attributeMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.AttributeMapMapper" }, "items" : { "type" : "object", "properties" : { "nameFormatUri" : { "title" : "Name Format Uri", "propertyOrder" : 0, "type" : "string" }, "samlAttribute" : { "title" : "SAML Attribute", "propertyOrder" : 1, "type" : "string" }, "localAttribute" : { "title" : "Local Attribute", "propertyOrder" : 2, "type" : "string" }, "binary" : { "title" : "Binary", "propertyOrder" : 3, "type" : "boolean" } }, "required" : [ "samlAttribute", "localAttribute" ] } } }, "required" : [ "attributeMapper" ] }, "accountMapper" : { "traverseObject" : true, "title" : "Account Mapper", "type" : "object", "properties" : { "accountMapper" : { "attributeKey" : "idpAccountMapper", "title" : "Account Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultIDPAccountMapper", "description" : "Used to generate Name Identifier in Single Sign-on assertion and find user's identity from incoming request." }, "disableNameIdPersistence" : { "attributeKey" : "idpDisableNameIDPersistence", "title" : "Disable NameID Persistence", "type" : "boolean", "description" : "Disables the persistence of the NameID values into the User Data Store for all persistent NameID-Formats. When the persistent NameID-Format is in use, disabling NameID persistence is not recommended. Note that by preventing the storage of the NameID values, the ManageNameID and the NameIDMapping SAML profiles will no longer work when using any persistent NameID-Formats. Existing account links that have been established (and persisted) previously, will not be removed when enabling this feature.", "default" : false } } }, "localConfiguration" : { "traverseObject" : true, "title" : "Local Configuration", "type" : "object", "properties" : { "authUrl" : { "attributeKey" : "AuthUrl", "type" : "string", "title" : "Auth URL", "description" : "URL to redirect for user authentication if required" }, "reverseProxyUrl" : { "attributeKey" : "RpUrl", "type" : "string", "title" : "Reverse Proxy URL", "description" : "URL of the Reverse Proxy where the SAML endpoints are available" }, "externalApplicationLogoutUrl" : { "attributeKey" : "appLogoutUrl", "type" : "string", "title" : "External Application Logout URL", "description" : "This is the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter \"appsessionproperty\" (set to the session property name) is included in the URL. e.g. \"http://www.app.domain.com/uri/logout?appsessionproperty=mail\"." } } } } }, "services" : { "propertyOrder" : 2, "title" : "Services", "type" : "object", "traverseObject" : true, "properties" : { "metaAlias" : { "attributeKey" : "metaAlias", "default" : "{idpMetaAlias}", "type" : "string", "title" : "Meta Alias", "readOnly" : true, "description" : "The Meta Alias attribute is specific to providers using OpenAM therefore, a null value for a remote provider configuration is possible." }, "serviceAttributes" : { "title" : "IDP Service Attributes", "type" : "object", "traverseObject" : true, "properties" : { "artifactResolutionService" : { "title" : "Artifact Resolution Service", "type" : "array", "attributePath" : { "value" : "artifactResolutionService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.IndexedEndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/ArtifactResolver/metaAlias{idpMetaAlias}" } ] }, "singleLogoutService" : { "title" : "Single Logout Service", "type" : "array", "attributePath" : { "value" : "singleLogoutService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/IDPSloRedirect/metaAlias{idpMetaAlias}", "responseLocation" : "{baseUrl}/IDPSloRedirect/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/IDPSloPOST/metaAlias{idpMetaAlias}", "responseLocation" : "{baseUrl}/IDPSloPOST/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/IDPSloSoap/metaAlias{idpMetaAlias}" } ] }, "nameIdService" : { "title" : "Manage NameID Service", "type" : "array", "attributePath" : { "value" : "manageNameIDService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/IDPMniRedirect/metaAlias{idpMetaAlias}", "responseLocation" : "{baseUrl}/IDPMniRedirect/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/IDPMniPOST/metaAlias{idpMetaAlias}", "responseLocation" : "{baseUrl}/IDPMniPOST/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/IDPMniSoap/metaAlias{idpMetaAlias}" } ] }, "singleSignOnService" : { "title" : "Single SignOn Service", "type" : "array", "attributePath" : { "value" : "singleSignOnService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/SSORedirect/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/SSOPOST/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/SSOSoap/metaAlias{idpMetaAlias}" } ] } } }, "nameIdMapping" : { "title" : "NameID Mapping", "type" : "array", "attributePath" : { "value" : "nameIDMappingService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/NIMSoap/metaAlias{idpMetaAlias}" } ] }, "assertionIdRequest" : { "title" : "Assertion ID Request Service", "type" : "array", "attributePath" : { "value" : "assertionIDRequestService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/AIDReqSoap/IDPRole/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:URI", "location" : "{baseUrl}/AIDReqUri/IDPRole/metaAlias{idpMetaAlias}" } ] } }, "required" : [ "metaAlias" ] }, "advanced" : { "traverseObject" : true, "propertyOrder" : 3, "title" : "Advanced", "type" : "object", "properties" : { "saeConfiguration" : { "traverseObject" : true, "title" : "SAE Configuration", "type" : "object", "properties" : { "idpUrl" : { "attributeKey" : "saeIDPUrl", "title" : "IDP URL", "description" : "URL endpoint on the Identity Provider that can handle SAE requests.", "type" : "string", "default" : "{baseUrl}/idpsaehandler/metaAlias{idpMetaAlias}" }, "applicationSecurityConfiguration" : { "attributeKey" : { "value" : "saeAppSecretList", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.ApplicationSecurityConfigItemMapper" }, "title" : "Application Security Configuration", "type" : "array", "items" : { "type" : "object", "properties" : { "url" : { "title" : "URL", "propertyOrder" : 0, "type" : "string" }, "type" : { "title" : "Type", "propertyOrder" : 1, "type" : "string" }, "pubKeyAlias" : { "title" : "Public Key Alias", "propertyOrder" : 2, "type" : "string" }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "propertyOrder" : 3, "type" : "string" }, "encryptionKeyStrength" : { "title" : "Encryption Key Strength", "propertyOrder" : 4, "type" : "string" }, "secret" : { "title" : "Secret", "propertyOrder" : 5, "type" : "string" } }, "required" : [ "url", "secret" ] } } } }, "ecpConfiguration" : { "traverseObject" : true, "title" : "ECP Configuration", "type" : "object", "properties" : { "idpSessionMapper" : { "attributeKey" : "idpECPSessionMapper", "title" : "IDP Session Mapper", "description" : "Defines an implementation class for the session mapper SPI. The mapper finds a valid session from HTTP servlet request on IDP with ECP profile.", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper" } } }, "sessionSynchronization" : { "traverseObject" : true, "title" : "Session Synchronization", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "idpSessionSyncEnabled", "title" : "Enabled", "description" : "If this is enabled, when a session times out, the Identity Provider notifies all Service Providers to log out. A session may time out, for example, when max-idle time or max-session time is reached.", "type" : "boolean", "default" : false } } }, "idpFinderImplementation" : { "traverseObject" : true, "title" : "IDP Finder Implementation", "type" : "object", "properties" : { "idpFinderImplementationClass" : { "attributeKey" : "proxyIDPFinderClass", "title" : "IDP Finder implementation class", "description" : "Defines an implementation class for the Proxy IDP Finder SPI. The implementation is used to find a preferred IdP to send the proxied Authentication Request", "type" : "string" }, "idpFinderJsp" : { "attributeKey" : "proxyIDPFinderJSP", "title" : "IdP Finder JSP", "description" : "Specify the JSP that will present the IdP List to the user, if required by the class implementation (example: proxyidpfinder.jsp)", "type" : "string" }, "enableProxyIdpFinderForAllSps" : { "attributeKey" : "enableProxyIDPFinderForAllSPs", "title" : "Enable Proxy IDP Finder for all SPs", "description" : "If this is enabled the proxy idp finder will be enabled for all the remote SPs regardless of what they have configured in their extended metadata", "type" : "boolean", "default" : false } } }, "relayStateUrlList" : { "traverseObject" : true, "title" : "Relay State URL List", "type" : "object", "properties" : { "relayStateUrlList" : { "attributeKey" : "relayStateUrlList", "title" : "Relay State URL List", "type" : "array", "items" : { "type" : "string" } } } }, "idpAdapter" : { "traverseObject" : true, "title" : "IDP Adapter", "type" : "object", "properties" : { "idpAdapterClass" : { "attributeKey" : "idpAdapter", "title" : "IDP Adapter Class", "type" : "string" }, "idpAdapterScript" : { "attributeKey" : "idpAdapterScript", "title" : "IDP Adapter Script", "description" : "Scripted plugin for IDP Adapter. If a script is not selected, the specified IDP Adapter Java Class will be used.", "type" : "string", "default" : "[Empty]" } } } } } } }, "serviceProvider" : { "title" : "Service Provider", "description" : "This schema describes a SAML2 service provider.", "type" : "object", "traverseObject" : true, "properties" : { "assertionContent" : { "propertyOrder" : 0, "traverseObject" : true, "title" : "Assertion Content", "type" : "object", "properties" : { "signingAndEncryption" : { "traverseObject" : true, "title" : "Signing And Encryption", "type" : "object", "properties" : { "requestResponseSigning" : { "traverseObject" : true, "description" : "Select the checkbox for each request/response that should be signed\n", "title" : "Request/Response Signing", "type" : "object", "properties" : { "authenticationRequest" : { "attributePath" : { "value" : "/authnRequestsSigned" }, "title" : "Authentication Requests Signed", "type" : "boolean", "default" : false }, "assertion" : { "attributePath" : "/wantAssertionsSigned", "title" : "Assertions Signed", "type" : "boolean", "default" : false }, "postResponse" : { "attributeKey" : "wantPOSTResponseSigned", "title" : "POST Response Signed", "type" : "boolean", "default" : false }, "artifactResponse" : { "attributeKey" : "wantArtifactResponseSigned", "title" : "Artifact Response Signed", "type" : "boolean", "default" : false }, "logoutRequest" : { "attributeKey" : "wantLogoutRequestSigned", "title" : "Logout Request Signed", "type" : "boolean", "default" : false }, "logoutResponse" : { "attributeKey" : "wantLogoutResponseSigned", "title" : "Logout Response Signed", "type" : "boolean", "default" : false }, "manageNameIdRequest" : { "attributeKey" : "wantMNIRequestSigned", "title" : "Manage NameID Request Signed", "type" : "boolean", "default" : false }, "manageNameIdResponse" : { "attributeKey" : "wantMNIResponseSigned", "title" : "Manage NameID Response Signed", "type" : "boolean", "default" : false } } }, "encryption" : { "traverseObject" : true, "title" : "Encryption", "type" : "object", "properties" : { "attributeEncryption" : { "attributeKey" : "wantAttributeEncrypted", "title" : "Attribute Encryption", "type" : "boolean" }, "assertionEncryption" : { "attributeKey" : "wantAssertionEncrypted", "title" : "Assertion Encryption", "type" : "boolean" }, "nameIdEncryption" : { "attributeKey" : "wantNameIDEncrypted", "title" : "NameID Encryption", "type" : "boolean" } } }, "secretIdAndAlgorithms" : { "traverseObject" : true, "title" : "Secret ID And Algorithms", "type" : "object", "properties" : { "secretIdIdentifier" : { "type" : "string", "attributeKey" : "secretIdIdentifier", "title" : "Secret ID Identifier", "description" : "This identifier determines the secret ID for this entity provider when resolving secrets. For example when this value is set to \"demo\", the entity provider will use am.applications.federation.entity.providers.saml2.demo.signing and am.applications.federation.entity.providers.saml2.demo.encryption secret IDs to resolve the signing and encryption secrets. When left unspecified, AM will use the entity provider role (service provider, identity provider, etc.) specific default global secret IDs. When the secret ID identifier for a given role is modified, the corresponding mapping is removed if it isnât referenced by other entities." }, "signingAlgorithm" : { "title" : "Signing Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.SigningAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ] } }, "digestAlgorithm" : { "title" : "Digest Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.DigestAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ] } }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "type" : "array", "attributeKey" : { "value" : "encryptionAlgorithms", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EncryptionAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ], "enumNames" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ] } } } } } }, "nameIdFormat" : { "traverseObject" : true, "title" : "NameID Format", "type" : "object", "properties" : { "nameIdFormatList" : { "description" : "List of NameID formats the requestor will use to contact. Order listed shows the order of preference", "title" : "NameID Format List", "attributePath" : { "value" : "/nameIDFormat" }, "type" : "array", "items" : { "type" : "string" }, "default" : [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" ] }, "disableNameIdPersistence" : { "attributeKey" : "spDoNotWriteFederationInfo", "title" : "Disable NameID persistence", "description" : "Instructs the SP to not persist the SAML NameID into the User Data Store even if the NameID Format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in the received Assertion and the Account Mapper has identified the local user. When local authentication is utilized for account linking purposes, enabling this feature will require end-users to locally authenticate for each SAML-based login.", "type" : "boolean", "default" : false } } }, "authenticationContext" : { "traverseObject" : true, "title" : "Authentication Context", "type" : "object", "properties" : { "authenticationContextMapper" : { "attributeKey" : "spAuthncontextMapper", "title" : "Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper" }, "authContextItems" : { "attributeKey" : { "value" : "spAuthncontextClassrefMapping", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.SpAuthContextMapper" }, "description" : "Defines mapping between IDP authentication context reference and authentication level to be set on SP side session", "title" : "Authentication Context", "type" : "array", "items" : { "type" : "object", "properties" : { "contextReference" : { "propertyOrder" : 0, "title" : "Context Reference", "anyOf" : [ { "title" : "Predefined Reference", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol", "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession", "urn:oasis:names:tc:SAML:2.0:ac:classes:X.509", "urn:oasis:names:tc:SAML:2.0:ac:classes:PGP", "urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig", "urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard", "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient", "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken", "unspecified" ], "enumNames" : [ "InternetProtocol", "InternetProtocolPassword", "Kerberos", "MobileOneFactorUnregistered", "MobileTwoFactorUnregistered", "MobileOneFactorContract", "MobileTwoFactorContract", "Password", "PasswordProtectedTransport", "PreviousSession", "X.509", "PGP", "SPKI", "XMLDSig", "Smartcard", "SmartcardPKI", "SoftwarePKI", "Telephony", "NomadTelephony", "PersonalTelephony", "AuthenticatedTelephony", "SecureRemotePassword", "TLSClient", "TimeSyncToken", "unspecified" ] }, { "title" : "Custom Reference", "type" : "string" } ] }, "level" : { "default" : 0, "minimum" : 0, "propertyOrder" : 1, "title" : "Level", "type" : "integer" }, "defaultItem" : { "propertyOrder" : 2, "title" : "Default", "type" : "boolean" } } }, "default" : [ { "contextReference" : "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "level" : "0", "defaultItem" : true } ] }, "authenticationComparisonType" : { "attributeKey" : { "value" : "spAuthncontextComparisonType", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.AuthComparisonTypeMapper" }, "title" : "Comparison Type", "type" : "string", "enum" : [ "None", "Exact", "Minimum", "Maximum", "Better" ], "default" : "Exact" }, "includeRequestedAuthenticationContext" : { "attributeKey" : "includeRequestedAuthnContext", "title" : "Include Request Authentication Context", "description" : "Enable to include the Requested Authentication Context in the Authentication Request, enabled by default.", "type" : "boolean", "default" : true } } }, "assertionTimeSkew" : { "attributeKey" : "assertionTimeSkew", "title" : "Assertion Time Skew", "description" : "Is in seconds. Skew time for NotBefore and NotOnOrAfter attributes in assertion SubjectConfirmationData and Conditions", "type" : "integer", "default" : 300 }, "basicAuthentication" : { "traverseObject" : true, "description" : "Configure basic authentication setting for Soap based binding", "title" : "Basic Authentication", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "basicAuthOn", "title" : "Enabled", "type" : "boolean", "default" : false }, "userName" : { "attributeKey" : "basicAuthUser", "title" : "User Name", "type" : "string" }, "password" : { "title" : "Password", "attributeKey" : { "value" : "basicAuthPassword", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.PasswordMapper" }, "type" : "string", "format" : "password" } } } } }, "assertionProcessing" : { "propertyOrder" : 1, "traverseObject" : true, "title" : "Assertion Processing", "type" : "object", "properties" : { "attributeMapper" : { "traverseObject" : true, "title" : "Attribute Mapper", "type" : "object", "properties" : { "attributeMapper" : { "attributeKey" : "spAttributeMapper", "title" : "Attribute Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultSPAttributeMapper" }, "attributeMap" : { "attributeKey" : { "value" : "attributeMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.KeyValueMapper" }, "description" : "This mapping is the configuration used by the Attribute Mapper. Mapping should be defined as SAML ATTRIBUTE NAME=PROFILE ATTRIBUTE NAME in assertion. Example: EmailAddress=mail, Address=postaladdress.", "title" : "Attribute Map", "type" : "array", "items" : { "type" : "object", "properties" : { "key" : { "propertyOrder" : 0, "title" : "Key", "type" : "string" }, "value" : { "propertyOrder" : 1, "title" : "Value", "type" : "string" } } }, "default" : [ { "key" : "*", "value" : "*" } ] } }, "required" : [ "attributeMapper" ] }, "autoFederation" : { "description" : "Enable Auto Federation if not already federated", "traverseObject" : true, "title" : "Auto Federation", "type" : "object", "properties" : { "autoFedEnabled" : { "attributeKey" : "autofedEnabled", "title" : "Enabled", "description" : "Enable Auto Federation if not already federated", "type" : "boolean", "default" : false }, "autoFedAttribute" : { "attributeKey" : "autofedAttribute", "title" : "Attribute", "description" : "This SAML attribute identifies the user to auto federate with. If this attribute is not present in the assertion then the value of the NameID is used instead. If there is a mapping defined for this attribute, it will be used along with the value when searching for the local user. If the local user can not be found and Dynamic or Ignored Profile is enabled, the value will be used as the local user's UID instead.", "type" : "string" } } }, "accountMapping" : { "traverseObject" : true, "title" : "Account Mapper", "type" : "object", "properties" : { "spAccountMapper" : { "attributeKey" : "spAccountMapper", "title" : "Account Mapper", "description" : "Helps to find the user on local side based on incoming assertion", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultSPAccountMapper" }, "useNameIDAsSPUserID" : { "attributeKey" : "useNameIDAsSPUserID", "title" : "Use Name ID as User ID", "description" : "Use value of Name ID from the incoming Assertion to find the local user as the final resort, if other means do not apply", "type" : "boolean", "default" : false }, "transientUser" : { "attributeKey" : "transientUser", "description" : "Can be null. If specified this will be the mapped SP user incase of transient federation", "title" : "Transient User", "type" : "string" } } }, "responseArtifactMessageEncoding" : { "traverseObject" : true, "title" : "Artifact Message Encoding", "type" : "object", "properties" : { "encoding" : { "attributeKey" : { "value" : "responseArtifactMessageEncoding", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.MessageEncodingMapper" }, "title" : "Artifact Message Encoding", "type" : "string", "enum" : [ "URI", "FORM" ], "default" : "URI" } } }, "url" : { "traverseObject" : true, "title" : "URL", "type" : "object", "properties" : { "localAuthUrl" : { "attributeKey" : "localAuthURL", "title" : "Local Authentication Url", "description" : "Use this property to specify an alternative URL to redirect to after validating the SAML2 assertion from IDP, for example, if you have created a custom user interface.", "type" : "string" }, "intermediateUrl" : { "attributeKey" : "intermediateUrl", "title" : "Intermediate Url", "description" : "This is the intermediate point that SP will redirect to before the final relay state", "type" : "string" }, "appLogoutUrl" : { "attributeKey" : "appLogoutUrl", "title" : "External Application Logout URL", "description" : "This is the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter \"appsessionproperty\" (set to the session property name) is included in the URL. e.g. \"http://www.app.domain.com/uri/logout?appsessionproperty=mail\"", "type" : "string" } } }, "defaultRelayState" : { "attributeKey" : "defaultRelayState", "title" : "Default Relay State Url", "description" : "This is the default relay state URL that the SP will redirect to, in case there is no relay state specified in the response", "type" : "string" }, "adapter" : { "traverseObject" : true, "title" : "Adapter", "type" : "object", "properties" : { "spAdapter" : { "attributeKey" : "spAdapter", "title" : "Adapter", "description" : "Implementation class for the SPAdapter which is used to add application specific processing logic during federation process", "type" : "string" }, "spAdapterScript" : { "attributeKey" : "spAdapterScript", "title" : "Adapter Script", "description" : "Scripted plugin for SP Adapter. If a script is not selected, the specified SP Adapter Java Class will be used.", "type" : "string", "default" : "[Empty]" }, "spAdapterEnv" : { "attributeKey" : { "value" : "spAdapterEnv", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.KeyValueMapper" }, "title" : "Adapter Environment", "type" : "array", "items" : { "type" : "object", "properties" : { "key" : { "propertyOrder" : 0, "title" : "Key", "type" : "string" }, "value" : { "propertyOrder" : 1, "title" : "Value", "type" : "string" } } } } } } } }, "services" : { "propertyOrder" : 2, "traverseObject" : true, "type" : "object", "title" : "Services", "properties" : { "metaAlias" : { "attributeKey" : "metaAlias", "default" : "{spMetaAlias}", "title" : "MetaAlias", "description" : "The MetaAlias attribute is specific to providers using OpenAM therefore, a null value for a remote provider configuration is possible.", "type" : "string", "readOnly" : true }, "serviceAttributes" : { "traverseObject" : true, "title" : "SP Service Attributes", "type" : "object", "properties" : { "singleLogoutService" : { "title" : "Single Logout Service", "type" : "array", "attributePath" : { "value" : "singleLogoutService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/SPSloRedirect/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPSloRedirect/metaAlias{spMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/SPSloPOST/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPSloPOST/metaAlias{spMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/SPSloSoap/metaAlias{spMetaAlias}" } ] }, "nameIdService" : { "title" : "Manage NameID Service", "type" : "array", "attributePath" : { "value" : "manageNameIDService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/SPMniRedirect/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPMniRedirect/metaAlias{spMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/SPMniPOST/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPMniPOST/metaAlias{spMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/SPMniSoap/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPMniSoap/metaAlias{spMetaAlias}" } ] }, "assertionConsumerService" : { "attributePath" : { "value" : "assertionConsumerService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.ExtendedIndexedEndpointMapper" }, "title" : "Assertion Consumer Service", "description" : "Location denotes the URL to accept the respective request type. Index denotes the index of the URL in the standard metadata", "type" : "array", "items" : { "type" : "object", "properties" : { "isDefault" : { "type" : "boolean" }, "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-Artifact", "HTTP-POST", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "index" : { "type" : "integer" } } }, "default" : [ { "isDefault" : true, "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact", "location" : "{baseUrl}/Consumer/metaAlias{spMetaAlias}", "index" : "0" }, { "isDefault" : false, "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/Consumer/metaAlias{spMetaAlias}", "index" : "1" }, { "isDefault" : false, "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:PAOS", "location" : "{baseUrl}/Consumer/ECP/metaAlias{spMetaAlias}", "index" : "2" } ] } } } } }, "advanced" : { "propertyOrder" : 3, "traverseObject" : true, "type" : "object", "title" : "Advanced", "properties" : { "saeConfiguration" : { "traverseObject" : true, "title" : "SAE Configuration", "type" : "object", "properties" : { "spUrl" : { "attributeKey" : "saeSPUrl", "title" : "SP URL", "description" : "URL endpoint on Service Provider that can handle SAE requests. If this URL is empty (not configured), SAE single sign-on will not be enabled. Normal samlv2 single sign-on response will be sent to SP", "type" : "string", "default" : "{baseUrl}/spsaehandler/metaAlias{spMetaAlias}" }, "spLogoutUrl" : { "attributeKey" : "saeSPLogoutUrl", "title" : "SP Logout URL", "description" : "URL endpoint on the Service Provider that can handle SAE global logout requests", "type" : "string" }, "applicationSecurityConfiguration" : { "attributeKey" : { "value" : "saeAppSecretList", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.ApplicationSecurityConfigItemMapper" }, "title" : "Application Security Configuration", "type" : "array", "items" : { "type" : "object", "properties" : { "url" : { "title" : "URL", "propertyOrder" : 0, "type" : "string" }, "type" : { "title" : "Type", "propertyOrder" : 1, "type" : "string" }, "pubKeyAlias" : { "title" : "Public Key Alias", "propertyOrder" : 2, "type" : "string" }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "propertyOrder" : 3, "type" : "string" }, "encryptionKeyStrength" : { "title" : "Encryption Key Strength", "propertyOrder" : 4, "type" : "string" }, "secret" : { "title" : "Secret", "propertyOrder" : 5, "type" : "string" } }, "required" : [ "url", "secret" ] } } } }, "ecpConfiguration" : { "traverseObject" : true, "title" : "ECP Configuration", "type" : "object", "properties" : { "ecpRequestIdpListFinderImpl" : { "attributeKey" : "ECPRequestIDPListFinderImpl", "title" : "Request IDP List Finder Implementation", "description" : "Implementation class of the IDP list finder SPI. This returns a list of preferred IDPs trusted by the ECP", "type" : "string", "default" : "com.sun.identity.saml2.plugins.ECPIDPFinder" }, "ecpRequestIdpListGetComplete" : { "attributeKey" : "ECPRequestIDPListGetComplete", "title" : "Request IDP List Get Complete", "description" : "Specify an URI reference that can be used to retrieve the complete IDP list if the IDPList element is not complete", "type" : "string" }, "ecpRequestIdpList" : { "attributeKey" : "ECPRequestIDPList", "title" : "Request IDP List", "description" : "Defines a list of IDPs for the ECP to contact. This is used by the default implementation of the IDP Finder", "type" : "array", "items" : { "type" : "string" } } } }, "idpProxy" : { "traverseObject" : true, "title" : "IDP Proxy", "type" : "object", "properties" : { "enableIdpProxy" : { "attributeKey" : "enableIDPProxy", "title" : "IDP Proxy enabled", "description" : "Enable IDP Proxy if not enabled", "type" : "boolean", "default" : false }, "useIntroductionForIdpProxy" : { "attributeKey" : "useIntroductionForIDPProxy", "title" : "Introduction enabled", "type" : "boolean", "default" : false }, "idpProxyCount" : { "attributeKey" : "idpProxyCount", "title" : "Proxy Count", "description" : "Number of IDP proxies that the SP can have", "type" : "integer", "default" : 0 }, "idpProxyList" : { "attributeKey" : "idpProxyList", "description" : "A list of preferred IDPs that the SP would proxy to", "title" : "IDP Proxy List", "type" : "array", "items" : { "type" : "string" } } } }, "spSessionSyncEnabled" : { "attributeKey" : "spSessionSyncEnabled", "title" : "Session Synchronization", "description" : "If this is enabled, when a session times out, the Service Provider notifies all Identity Providers to log out. A session may time out, for example, when max-idle time or max-session time is reached.", "type" : "boolean", "default" : false }, "relayStateUrlList" : { "traverseObject" : true, "title" : "Relay State URL List", "type" : "object", "properties" : { "relayStateUrlList" : { "attributeKey" : "relayStateUrlList", "title" : "Relay State URL List", "type" : "array", "items" : { "type" : "string" } } } } } } } } }, "required" : [ "entityId" ], "$id" : "https://www.forgerock.com/hostedSaml2EntityProvider.schema.json" }
delete
Removes the SAML2 entity provider from the configuration including all of its associated roles.
Usage
am> delete HostedSaml2EntityProvider --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
read
Returns the roles of the SAML2 entity provider.
Usage
am> read HostedSaml2EntityProvider --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Updates details of the SAML2 entity provider role.
Usage
am> update HostedSaml2EntityProvider --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-07/schema#", "ignoredProperties" : [ "_id", "_rev" ], "description" : "This schema describes a hosted SAML2 entity provider.", "title" : "SAML2 Hosted Entity Provider", "type" : "object", "properties" : { "entityId" : { "type" : "string" }, "identityProvider" : { "title" : "Identity Provider", "description" : "This schema describes a SAML2 identity provider.", "type" : "object", "traverseObject" : true, "properties" : { "assertionContent" : { "propertyOrder" : 0, "title" : "Assertion Content", "type" : "object", "traverseObject" : true, "properties" : { "signingAndEncryption" : { "traverseObject" : true, "title" : "Signing And Encryption", "type" : "object", "properties" : { "requestResponseSigning" : { "traverseObject" : true, "title" : "Request/Response Signing", "description" : "Select the checkbox for each request/response that should be signed", "type" : "object", "properties" : { "authenticationRequest" : { "attributePath" : { "value" : "/wantAuthnRequestsSigned" }, "title" : "Authentication Request", "type" : "boolean", "default" : false }, "artifactResolve" : { "attributeKey" : "wantArtifactResolveSigned", "title" : "Artifact Resolve", "type" : "boolean", "default" : false }, "logoutRequest" : { "attributeKey" : "wantLogoutRequestSigned", "title" : "Logout Request", "type" : "boolean", "default" : false }, "logoutResponse" : { "attributeKey" : "wantLogoutResponseSigned", "title" : "Logout Response", "type" : "boolean", "default" : false }, "manageNameIdRequest" : { "attributeKey" : "wantMNIRequestSigned", "title" : "Manage NameID Request", "type" : "boolean", "default" : false }, "manageNameIdResponse" : { "attributeKey" : "wantMNIResponseSigned", "title" : "Manage NameID Response", "type" : "boolean", "default" : false } }, "required" : [ "authenticationRequest", "artifactResolve", "logoutRequest", "logoutResponse", "manageNameIdRequest", "manageNameIdResponse" ] }, "encryption" : { "traverseObject" : true, "title" : "Encryption", "type" : "object", "properties" : { "nameIdEncryption" : { "attributeKey" : "wantNameIDEncrypted", "title" : "NameID Encryption", "type" : "boolean", "default" : false } }, "required" : [ "nameIdEncryption" ] }, "secretIdAndAlgorithms" : { "traverseObject" : true, "title" : "Secret ID And Algorithms", "type" : "object", "properties" : { "secretIdIdentifier" : { "type" : "string", "attributeKey" : "secretIdIdentifier", "title" : "Secret ID Identifier", "description" : "This identifier determines the secret ID for this entity provider when resolving secrets. For example when this value is set to \"demo\", the entity provider will use am.applications.federation.entity.providers.saml2.demo.signing and am.applications.federation.entity.providers.saml2.demo.encryption secret IDs to resolve the signing and encryption secrets. When left unspecified, AM will use the entity provider role (service provider, identity provider, etc.) specific default global secret IDs. When the secret ID identifier for a given role is modified, the corresponding mapping is removed if it isnât referenced by other entities." }, "signingAlgorithm" : { "title" : "Signing Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.SigningAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ] } }, "digestAlgorithm" : { "title" : "Digest Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.DigestAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ] } }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "type" : "array", "attributeKey" : { "value" : "encryptionAlgorithms", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EncryptionAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ], "enumNames" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ] } } } } } }, "nameIdFormat" : { "traverseObject" : true, "title" : "NameID Format", "type" : "object", "properties" : { "nameIdFormatList" : { "description" : "List of NameID formats the requestor will use to contact. Order listed shows the order of preference", "title" : "NameID Format List", "attributePath" : { "value" : "/nameIDFormat" }, "type" : "array", "items" : { "type" : "string" }, "default" : [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" ] }, "nameIdValueMap" : { "attributeKey" : { "value" : "nameIDFormatMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.NameIdValueMapper" }, "description" : "Defines mapping between the NameID format and user's profile attribute. Example <code>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</code> or <code>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent=objectGUID;binary</code>. If the defined NameID format is used in protocol, the profile attribute value will be used as NameID value for the format in the Subject, the <code>;binary</code> flag can be used to indicate that the profile attribute is binary and should be Base64 encoded when used as the NameID value.", "title" : "NameID Value Map", "type" : "array", "items" : { "type" : "object", "properties" : { "key" : { "title" : "Key", "propertyOrder" : 0, "type" : "string" }, "value" : { "title" : "Value", "propertyOrder" : 1, "type" : "string" }, "binary" : { "title" : "Binary", "propertyOrder" : 2, "type" : "boolean" } } }, "default" : [ { "key" : "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "value" : "mail", "binary" : false } ] } } }, "authenticationContext" : { "title" : "Authentication Context", "type" : "object", "traverseObject" : true, "properties" : { "authenticationContextMapper" : { "attributeKey" : "idpAuthncontextMapper", "title" : "Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper" }, "authContextItems" : { "title" : "Authentication Context", "description" : "Defines mapping between SP requested Authentication Context Reference and IDP authentication scheme and authentication level.", "type" : "array", "attributeKey" : { "value" : "idpAuthncontextClassrefMapping", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.IdpAuthContextMapper" }, "items" : { "type" : "object", "properties" : { "contextReference" : { "propertyOrder" : 0, "title" : "Context Reference", "anyOf" : [ { "title" : "Predefined Reference", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol", "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession", "urn:oasis:names:tc:SAML:2.0:ac:classes:X.509", "urn:oasis:names:tc:SAML:2.0:ac:classes:PGP", "urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig", "urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard", "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient", "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken", "unspecified" ], "enumNames" : [ "InternetProtocol", "InternetProtocolPassword", "Kerberos", "MobileOneFactorUnregistered", "MobileTwoFactorUnregistered", "MobileOneFactorContract", "MobileTwoFactorContract", "Password", "PasswordProtectedTransport", "PreviousSession", "X.509", "PGP", "SPKI", "XMLDSig", "Smartcard", "SmartcardPKI", "SoftwarePKI", "Telephony", "NomadTelephony", "PersonalTelephony", "AuthenticatedTelephony", "SecureRemotePassword", "TLSClient", "TimeSyncToken", "unspecified" ] }, { "title" : "Custom Reference", "type" : "string" } ] }, "key" : { "propertyOrder" : 1, "type" : "string", "title" : "Key", "enum" : [ "service", "module", "user", "role", "authlevel" ], "enumNames" : [ "Service", "Module", "User", "Role", "Authentication Level" ] }, "value" : { "propertyOrder" : 2, "title" : "Value", "type" : "string" }, "level" : { "propertyOrder" : 3, "title" : "Level", "type" : "integer", "minimum" : 0 } } }, "default" : [ { "contextReference" : "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "level" : "0" } ] } } }, "assertionTime" : { "traverseObject" : true, "title" : "Assertion Time", "type" : "object", "properties" : { "notBeforeTimeSkew" : { "attributeKey" : "assertionNotBeforeTimeSkew", "title" : "Not-Before Time Skew", "type" : "integer", "minimum" : 0, "default" : 600, "description" : "Is in seconds. This is the skew time for NotBefore attributes in assertion" }, "effectiveTime" : { "attributeKey" : "assertionEffectiveTime", "title" : "Effective Time", "type" : "integer", "minimum" : 0, "description" : "Is in seconds. Validity time of assertion for NotAfter attributes", "default" : 600 } } }, "basicAuthentication" : { "traverseObject" : true, "description" : "Configure basic authentication setting for Soap based binding", "title" : "Basic Authentication", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "basicAuthOn", "title" : "Enabled", "type" : "boolean", "default" : false }, "userName" : { "attributeKey" : "basicAuthUser", "title" : "User Name", "type" : "string" }, "password" : { "title" : "Password", "attributeKey" : { "value" : "basicAuthPassword", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.PasswordMapper" }, "type" : "string", "format" : "password" } } }, "assertionCache" : { "traverseObject" : true, "type" : "object", "title" : "Assertion Cache", "properties" : { "enabled" : { "attributeKey" : "assertionCacheEnabled", "description" : "Enable assertion cache", "title" : "Enabled", "type" : "boolean", "default" : false } } } } }, "assertionProcessing" : { "propertyOrder" : 1, "title" : "Assertion Processing", "type" : "object", "traverseObject" : true, "properties" : { "attributeMapper" : { "title" : "Attribute Mapper", "type" : "object", "traverseObject" : true, "properties" : { "attributeMapper" : { "attributeKey" : "idpAttributeMapper", "title" : "Attribute Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper" }, "attributeMapperScript" : { "attributeKey" : "idpAttributeMapperScript", "title" : "Attribute Mapper Script", "description" : "Script for mapping attributes. If a script is not selected, the specified attribute mapper Java Class will be used.", "type" : "string", "default" : "[Empty]" }, "attributeMap" : { "title" : "Attribute Map", "description" : "This mapping is the configuration used by the Attribute Mapper. The mapping should be defined as [NameFormatURI|]SAML ATTRIBUTE NAME=PROFILE ATTRIBUTE NAME in assertion. Example: EmailAddress=mail, Address=postaladdress, urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn The mapper also allows for static values to be defined. To define a static value, enclose the profile attribute name in double quotes. Example: partnerID=\"staticPartnerIDValue\", urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\". To flag an attribute as being a binary value and have its value Base64 encoded, add ;binary to the end of the profile attribute name. Example: photo=photo;binary, urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary", "type" : "array", "attributeKey" : { "value" : "attributeMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.AttributeMapMapper" }, "items" : { "type" : "object", "properties" : { "nameFormatUri" : { "title" : "Name Format Uri", "propertyOrder" : 0, "type" : "string" }, "samlAttribute" : { "title" : "SAML Attribute", "propertyOrder" : 1, "type" : "string" }, "localAttribute" : { "title" : "Local Attribute", "propertyOrder" : 2, "type" : "string" }, "binary" : { "title" : "Binary", "propertyOrder" : 3, "type" : "boolean" } }, "required" : [ "samlAttribute", "localAttribute" ] } } }, "required" : [ "attributeMapper" ] }, "accountMapper" : { "traverseObject" : true, "title" : "Account Mapper", "type" : "object", "properties" : { "accountMapper" : { "attributeKey" : "idpAccountMapper", "title" : "Account Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultIDPAccountMapper", "description" : "Used to generate Name Identifier in Single Sign-on assertion and find user's identity from incoming request." }, "disableNameIdPersistence" : { "attributeKey" : "idpDisableNameIDPersistence", "title" : "Disable NameID Persistence", "type" : "boolean", "description" : "Disables the persistence of the NameID values into the User Data Store for all persistent NameID-Formats. When the persistent NameID-Format is in use, disabling NameID persistence is not recommended. Note that by preventing the storage of the NameID values, the ManageNameID and the NameIDMapping SAML profiles will no longer work when using any persistent NameID-Formats. Existing account links that have been established (and persisted) previously, will not be removed when enabling this feature.", "default" : false } } }, "localConfiguration" : { "traverseObject" : true, "title" : "Local Configuration", "type" : "object", "properties" : { "authUrl" : { "attributeKey" : "AuthUrl", "type" : "string", "title" : "Auth URL", "description" : "URL to redirect for user authentication if required" }, "reverseProxyUrl" : { "attributeKey" : "RpUrl", "type" : "string", "title" : "Reverse Proxy URL", "description" : "URL of the Reverse Proxy where the SAML endpoints are available" }, "externalApplicationLogoutUrl" : { "attributeKey" : "appLogoutUrl", "type" : "string", "title" : "External Application Logout URL", "description" : "This is the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter \"appsessionproperty\" (set to the session property name) is included in the URL. e.g. \"http://www.app.domain.com/uri/logout?appsessionproperty=mail\"." } } } } }, "services" : { "propertyOrder" : 2, "title" : "Services", "type" : "object", "traverseObject" : true, "properties" : { "metaAlias" : { "attributeKey" : "metaAlias", "default" : "{idpMetaAlias}", "type" : "string", "title" : "Meta Alias", "readOnly" : true, "description" : "The Meta Alias attribute is specific to providers using OpenAM therefore, a null value for a remote provider configuration is possible." }, "serviceAttributes" : { "title" : "IDP Service Attributes", "type" : "object", "traverseObject" : true, "properties" : { "artifactResolutionService" : { "title" : "Artifact Resolution Service", "type" : "array", "attributePath" : { "value" : "artifactResolutionService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.IndexedEndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/ArtifactResolver/metaAlias{idpMetaAlias}" } ] }, "singleLogoutService" : { "title" : "Single Logout Service", "type" : "array", "attributePath" : { "value" : "singleLogoutService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/IDPSloRedirect/metaAlias{idpMetaAlias}", "responseLocation" : "{baseUrl}/IDPSloRedirect/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/IDPSloPOST/metaAlias{idpMetaAlias}", "responseLocation" : "{baseUrl}/IDPSloPOST/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/IDPSloSoap/metaAlias{idpMetaAlias}" } ] }, "nameIdService" : { "title" : "Manage NameID Service", "type" : "array", "attributePath" : { "value" : "manageNameIDService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/IDPMniRedirect/metaAlias{idpMetaAlias}", "responseLocation" : "{baseUrl}/IDPMniRedirect/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/IDPMniPOST/metaAlias{idpMetaAlias}", "responseLocation" : "{baseUrl}/IDPMniPOST/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/IDPMniSoap/metaAlias{idpMetaAlias}" } ] }, "singleSignOnService" : { "title" : "Single SignOn Service", "type" : "array", "attributePath" : { "value" : "singleSignOnService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/SSORedirect/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/SSOPOST/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/SSOSoap/metaAlias{idpMetaAlias}" } ] } } }, "nameIdMapping" : { "title" : "NameID Mapping", "type" : "array", "attributePath" : { "value" : "nameIDMappingService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/NIMSoap/metaAlias{idpMetaAlias}" } ] }, "assertionIdRequest" : { "title" : "Assertion ID Request Service", "type" : "array", "attributePath" : { "value" : "assertionIDRequestService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/AIDReqSoap/IDPRole/metaAlias{idpMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:URI", "location" : "{baseUrl}/AIDReqUri/IDPRole/metaAlias{idpMetaAlias}" } ] } }, "required" : [ "metaAlias" ] }, "advanced" : { "traverseObject" : true, "propertyOrder" : 3, "title" : "Advanced", "type" : "object", "properties" : { "saeConfiguration" : { "traverseObject" : true, "title" : "SAE Configuration", "type" : "object", "properties" : { "idpUrl" : { "attributeKey" : "saeIDPUrl", "title" : "IDP URL", "description" : "URL endpoint on the Identity Provider that can handle SAE requests.", "type" : "string", "default" : "{baseUrl}/idpsaehandler/metaAlias{idpMetaAlias}" }, "applicationSecurityConfiguration" : { "attributeKey" : { "value" : "saeAppSecretList", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.ApplicationSecurityConfigItemMapper" }, "title" : "Application Security Configuration", "type" : "array", "items" : { "type" : "object", "properties" : { "url" : { "title" : "URL", "propertyOrder" : 0, "type" : "string" }, "type" : { "title" : "Type", "propertyOrder" : 1, "type" : "string" }, "pubKeyAlias" : { "title" : "Public Key Alias", "propertyOrder" : 2, "type" : "string" }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "propertyOrder" : 3, "type" : "string" }, "encryptionKeyStrength" : { "title" : "Encryption Key Strength", "propertyOrder" : 4, "type" : "string" }, "secret" : { "title" : "Secret", "propertyOrder" : 5, "type" : "string" } }, "required" : [ "url", "secret" ] } } } }, "ecpConfiguration" : { "traverseObject" : true, "title" : "ECP Configuration", "type" : "object", "properties" : { "idpSessionMapper" : { "attributeKey" : "idpECPSessionMapper", "title" : "IDP Session Mapper", "description" : "Defines an implementation class for the session mapper SPI. The mapper finds a valid session from HTTP servlet request on IDP with ECP profile.", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper" } } }, "sessionSynchronization" : { "traverseObject" : true, "title" : "Session Synchronization", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "idpSessionSyncEnabled", "title" : "Enabled", "description" : "If this is enabled, when a session times out, the Identity Provider notifies all Service Providers to log out. A session may time out, for example, when max-idle time or max-session time is reached.", "type" : "boolean", "default" : false } } }, "idpFinderImplementation" : { "traverseObject" : true, "title" : "IDP Finder Implementation", "type" : "object", "properties" : { "idpFinderImplementationClass" : { "attributeKey" : "proxyIDPFinderClass", "title" : "IDP Finder implementation class", "description" : "Defines an implementation class for the Proxy IDP Finder SPI. The implementation is used to find a preferred IdP to send the proxied Authentication Request", "type" : "string" }, "idpFinderJsp" : { "attributeKey" : "proxyIDPFinderJSP", "title" : "IdP Finder JSP", "description" : "Specify the JSP that will present the IdP List to the user, if required by the class implementation (example: proxyidpfinder.jsp)", "type" : "string" }, "enableProxyIdpFinderForAllSps" : { "attributeKey" : "enableProxyIDPFinderForAllSPs", "title" : "Enable Proxy IDP Finder for all SPs", "description" : "If this is enabled the proxy idp finder will be enabled for all the remote SPs regardless of what they have configured in their extended metadata", "type" : "boolean", "default" : false } } }, "relayStateUrlList" : { "traverseObject" : true, "title" : "Relay State URL List", "type" : "object", "properties" : { "relayStateUrlList" : { "attributeKey" : "relayStateUrlList", "title" : "Relay State URL List", "type" : "array", "items" : { "type" : "string" } } } }, "idpAdapter" : { "traverseObject" : true, "title" : "IDP Adapter", "type" : "object", "properties" : { "idpAdapterClass" : { "attributeKey" : "idpAdapter", "title" : "IDP Adapter Class", "type" : "string" }, "idpAdapterScript" : { "attributeKey" : "idpAdapterScript", "title" : "IDP Adapter Script", "description" : "Scripted plugin for IDP Adapter. If a script is not selected, the specified IDP Adapter Java Class will be used.", "type" : "string", "default" : "[Empty]" } } } } } } }, "serviceProvider" : { "title" : "Service Provider", "description" : "This schema describes a SAML2 service provider.", "type" : "object", "traverseObject" : true, "properties" : { "assertionContent" : { "propertyOrder" : 0, "traverseObject" : true, "title" : "Assertion Content", "type" : "object", "properties" : { "signingAndEncryption" : { "traverseObject" : true, "title" : "Signing And Encryption", "type" : "object", "properties" : { "requestResponseSigning" : { "traverseObject" : true, "description" : "Select the checkbox for each request/response that should be signed\n", "title" : "Request/Response Signing", "type" : "object", "properties" : { "authenticationRequest" : { "attributePath" : { "value" : "/authnRequestsSigned" }, "title" : "Authentication Requests Signed", "type" : "boolean", "default" : false }, "assertion" : { "attributePath" : "/wantAssertionsSigned", "title" : "Assertions Signed", "type" : "boolean", "default" : false }, "postResponse" : { "attributeKey" : "wantPOSTResponseSigned", "title" : "POST Response Signed", "type" : "boolean", "default" : false }, "artifactResponse" : { "attributeKey" : "wantArtifactResponseSigned", "title" : "Artifact Response Signed", "type" : "boolean", "default" : false }, "logoutRequest" : { "attributeKey" : "wantLogoutRequestSigned", "title" : "Logout Request Signed", "type" : "boolean", "default" : false }, "logoutResponse" : { "attributeKey" : "wantLogoutResponseSigned", "title" : "Logout Response Signed", "type" : "boolean", "default" : false }, "manageNameIdRequest" : { "attributeKey" : "wantMNIRequestSigned", "title" : "Manage NameID Request Signed", "type" : "boolean", "default" : false }, "manageNameIdResponse" : { "attributeKey" : "wantMNIResponseSigned", "title" : "Manage NameID Response Signed", "type" : "boolean", "default" : false } } }, "encryption" : { "traverseObject" : true, "title" : "Encryption", "type" : "object", "properties" : { "attributeEncryption" : { "attributeKey" : "wantAttributeEncrypted", "title" : "Attribute Encryption", "type" : "boolean" }, "assertionEncryption" : { "attributeKey" : "wantAssertionEncrypted", "title" : "Assertion Encryption", "type" : "boolean" }, "nameIdEncryption" : { "attributeKey" : "wantNameIDEncrypted", "title" : "NameID Encryption", "type" : "boolean" } } }, "secretIdAndAlgorithms" : { "traverseObject" : true, "title" : "Secret ID And Algorithms", "type" : "object", "properties" : { "secretIdIdentifier" : { "type" : "string", "attributeKey" : "secretIdIdentifier", "title" : "Secret ID Identifier", "description" : "This identifier determines the secret ID for this entity provider when resolving secrets. For example when this value is set to \"demo\", the entity provider will use am.applications.federation.entity.providers.saml2.demo.signing and am.applications.federation.entity.providers.saml2.demo.encryption secret IDs to resolve the signing and encryption secrets. When left unspecified, AM will use the entity provider role (service provider, identity provider, etc.) specific default global secret IDs. When the secret ID identifier for a given role is modified, the corresponding mapping is removed if it isnât referenced by other entities." }, "signingAlgorithm" : { "title" : "Signing Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.SigningAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ] } }, "digestAlgorithm" : { "title" : "Digest Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.DigestAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ] } }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "type" : "array", "attributeKey" : { "value" : "encryptionAlgorithms", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EncryptionAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ], "enumNames" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ] } } } } } }, "nameIdFormat" : { "traverseObject" : true, "title" : "NameID Format", "type" : "object", "properties" : { "nameIdFormatList" : { "description" : "List of NameID formats the requestor will use to contact. Order listed shows the order of preference", "title" : "NameID Format List", "attributePath" : { "value" : "/nameIDFormat" }, "type" : "array", "items" : { "type" : "string" }, "default" : [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" ] }, "disableNameIdPersistence" : { "attributeKey" : "spDoNotWriteFederationInfo", "title" : "Disable NameID persistence", "description" : "Instructs the SP to not persist the SAML NameID into the User Data Store even if the NameID Format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in the received Assertion and the Account Mapper has identified the local user. When local authentication is utilized for account linking purposes, enabling this feature will require end-users to locally authenticate for each SAML-based login.", "type" : "boolean", "default" : false } } }, "authenticationContext" : { "traverseObject" : true, "title" : "Authentication Context", "type" : "object", "properties" : { "authenticationContextMapper" : { "attributeKey" : "spAuthncontextMapper", "title" : "Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper" }, "authContextItems" : { "attributeKey" : { "value" : "spAuthncontextClassrefMapping", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.SpAuthContextMapper" }, "description" : "Defines mapping between IDP authentication context reference and authentication level to be set on SP side session", "title" : "Authentication Context", "type" : "array", "items" : { "type" : "object", "properties" : { "contextReference" : { "propertyOrder" : 0, "title" : "Context Reference", "anyOf" : [ { "title" : "Predefined Reference", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol", "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:Password", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession", "urn:oasis:names:tc:SAML:2.0:ac:classes:X.509", "urn:oasis:names:tc:SAML:2.0:ac:classes:PGP", "urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig", "urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard", "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient", "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken", "unspecified" ], "enumNames" : [ "InternetProtocol", "InternetProtocolPassword", "Kerberos", "MobileOneFactorUnregistered", "MobileTwoFactorUnregistered", "MobileOneFactorContract", "MobileTwoFactorContract", "Password", "PasswordProtectedTransport", "PreviousSession", "X.509", "PGP", "SPKI", "XMLDSig", "Smartcard", "SmartcardPKI", "SoftwarePKI", "Telephony", "NomadTelephony", "PersonalTelephony", "AuthenticatedTelephony", "SecureRemotePassword", "TLSClient", "TimeSyncToken", "unspecified" ] }, { "title" : "Custom Reference", "type" : "string" } ] }, "level" : { "default" : 0, "minimum" : 0, "propertyOrder" : 1, "title" : "Level", "type" : "integer" }, "defaultItem" : { "propertyOrder" : 2, "title" : "Default", "type" : "boolean" } } }, "default" : [ { "contextReference" : "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "level" : "0", "defaultItem" : true } ] }, "authenticationComparisonType" : { "attributeKey" : { "value" : "spAuthncontextComparisonType", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.AuthComparisonTypeMapper" }, "title" : "Comparison Type", "type" : "string", "enum" : [ "None", "Exact", "Minimum", "Maximum", "Better" ], "default" : "Exact" }, "includeRequestedAuthenticationContext" : { "attributeKey" : "includeRequestedAuthnContext", "title" : "Include Request Authentication Context", "description" : "Enable to include the Requested Authentication Context in the Authentication Request, enabled by default.", "type" : "boolean", "default" : true } } }, "assertionTimeSkew" : { "attributeKey" : "assertionTimeSkew", "title" : "Assertion Time Skew", "description" : "Is in seconds. Skew time for NotBefore and NotOnOrAfter attributes in assertion SubjectConfirmationData and Conditions", "type" : "integer", "default" : 300 }, "basicAuthentication" : { "traverseObject" : true, "description" : "Configure basic authentication setting for Soap based binding", "title" : "Basic Authentication", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "basicAuthOn", "title" : "Enabled", "type" : "boolean", "default" : false }, "userName" : { "attributeKey" : "basicAuthUser", "title" : "User Name", "type" : "string" }, "password" : { "title" : "Password", "attributeKey" : { "value" : "basicAuthPassword", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.PasswordMapper" }, "type" : "string", "format" : "password" } } } } }, "assertionProcessing" : { "propertyOrder" : 1, "traverseObject" : true, "title" : "Assertion Processing", "type" : "object", "properties" : { "attributeMapper" : { "traverseObject" : true, "title" : "Attribute Mapper", "type" : "object", "properties" : { "attributeMapper" : { "attributeKey" : "spAttributeMapper", "title" : "Attribute Mapper", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultSPAttributeMapper" }, "attributeMap" : { "attributeKey" : { "value" : "attributeMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.KeyValueMapper" }, "description" : "This mapping is the configuration used by the Attribute Mapper. Mapping should be defined as SAML ATTRIBUTE NAME=PROFILE ATTRIBUTE NAME in assertion. Example: EmailAddress=mail, Address=postaladdress.", "title" : "Attribute Map", "type" : "array", "items" : { "type" : "object", "properties" : { "key" : { "propertyOrder" : 0, "title" : "Key", "type" : "string" }, "value" : { "propertyOrder" : 1, "title" : "Value", "type" : "string" } } }, "default" : [ { "key" : "*", "value" : "*" } ] } }, "required" : [ "attributeMapper" ] }, "autoFederation" : { "description" : "Enable Auto Federation if not already federated", "traverseObject" : true, "title" : "Auto Federation", "type" : "object", "properties" : { "autoFedEnabled" : { "attributeKey" : "autofedEnabled", "title" : "Enabled", "description" : "Enable Auto Federation if not already federated", "type" : "boolean", "default" : false }, "autoFedAttribute" : { "attributeKey" : "autofedAttribute", "title" : "Attribute", "description" : "This SAML attribute identifies the user to auto federate with. If this attribute is not present in the assertion then the value of the NameID is used instead. If there is a mapping defined for this attribute, it will be used along with the value when searching for the local user. If the local user can not be found and Dynamic or Ignored Profile is enabled, the value will be used as the local user's UID instead.", "type" : "string" } } }, "accountMapping" : { "traverseObject" : true, "title" : "Account Mapper", "type" : "object", "properties" : { "spAccountMapper" : { "attributeKey" : "spAccountMapper", "title" : "Account Mapper", "description" : "Helps to find the user on local side based on incoming assertion", "type" : "string", "default" : "com.sun.identity.saml2.plugins.DefaultSPAccountMapper" }, "useNameIDAsSPUserID" : { "attributeKey" : "useNameIDAsSPUserID", "title" : "Use Name ID as User ID", "description" : "Use value of Name ID from the incoming Assertion to find the local user as the final resort, if other means do not apply", "type" : "boolean", "default" : false }, "transientUser" : { "attributeKey" : "transientUser", "description" : "Can be null. If specified this will be the mapped SP user incase of transient federation", "title" : "Transient User", "type" : "string" } } }, "responseArtifactMessageEncoding" : { "traverseObject" : true, "title" : "Artifact Message Encoding", "type" : "object", "properties" : { "encoding" : { "attributeKey" : { "value" : "responseArtifactMessageEncoding", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.MessageEncodingMapper" }, "title" : "Artifact Message Encoding", "type" : "string", "enum" : [ "URI", "FORM" ], "default" : "URI" } } }, "url" : { "traverseObject" : true, "title" : "URL", "type" : "object", "properties" : { "localAuthUrl" : { "attributeKey" : "localAuthURL", "title" : "Local Authentication Url", "description" : "Use this property to specify an alternative URL to redirect to after validating the SAML2 assertion from IDP, for example, if you have created a custom user interface.", "type" : "string" }, "intermediateUrl" : { "attributeKey" : "intermediateUrl", "title" : "Intermediate Url", "description" : "This is the intermediate point that SP will redirect to before the final relay state", "type" : "string" }, "appLogoutUrl" : { "attributeKey" : "appLogoutUrl", "title" : "External Application Logout URL", "description" : "This is the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter \"appsessionproperty\" (set to the session property name) is included in the URL. e.g. \"http://www.app.domain.com/uri/logout?appsessionproperty=mail\"", "type" : "string" } } }, "defaultRelayState" : { "attributeKey" : "defaultRelayState", "title" : "Default Relay State Url", "description" : "This is the default relay state URL that the SP will redirect to, in case there is no relay state specified in the response", "type" : "string" }, "adapter" : { "traverseObject" : true, "title" : "Adapter", "type" : "object", "properties" : { "spAdapter" : { "attributeKey" : "spAdapter", "title" : "Adapter", "description" : "Implementation class for the SPAdapter which is used to add application specific processing logic during federation process", "type" : "string" }, "spAdapterScript" : { "attributeKey" : "spAdapterScript", "title" : "Adapter Script", "description" : "Scripted plugin for SP Adapter. If a script is not selected, the specified SP Adapter Java Class will be used.", "type" : "string", "default" : "[Empty]" }, "spAdapterEnv" : { "attributeKey" : { "value" : "spAdapterEnv", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.KeyValueMapper" }, "title" : "Adapter Environment", "type" : "array", "items" : { "type" : "object", "properties" : { "key" : { "propertyOrder" : 0, "title" : "Key", "type" : "string" }, "value" : { "propertyOrder" : 1, "title" : "Value", "type" : "string" } } } } } } } }, "services" : { "propertyOrder" : 2, "traverseObject" : true, "type" : "object", "title" : "Services", "properties" : { "metaAlias" : { "attributeKey" : "metaAlias", "default" : "{spMetaAlias}", "title" : "MetaAlias", "description" : "The MetaAlias attribute is specific to providers using OpenAM therefore, a null value for a remote provider configuration is possible.", "type" : "string", "readOnly" : true }, "serviceAttributes" : { "traverseObject" : true, "title" : "SP Service Attributes", "type" : "object", "properties" : { "singleLogoutService" : { "title" : "Single Logout Service", "type" : "array", "attributePath" : { "value" : "singleLogoutService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/SPSloRedirect/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPSloRedirect/metaAlias{spMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/SPSloPOST/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPSloPOST/metaAlias{spMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/SPSloSoap/metaAlias{spMetaAlias}" } ] }, "nameIdService" : { "title" : "Manage NameID Service", "type" : "array", "attributePath" : { "value" : "manageNameIDService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "default" : [ { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "location" : "{baseUrl}/SPMniRedirect/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPMniRedirect/metaAlias{spMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/SPMniPOST/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPMniPOST/metaAlias{spMetaAlias}" }, { "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "location" : "{baseUrl}/SPMniSoap/metaAlias{spMetaAlias}", "responseLocation" : "{baseUrl}/SPMniSoap/metaAlias{spMetaAlias}" } ] }, "assertionConsumerService" : { "attributePath" : { "value" : "assertionConsumerService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.ExtendedIndexedEndpointMapper" }, "title" : "Assertion Consumer Service", "description" : "Location denotes the URL to accept the respective request type. Index denotes the index of the URL in the standard metadata", "type" : "array", "items" : { "type" : "object", "properties" : { "isDefault" : { "type" : "boolean" }, "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-Artifact", "HTTP-POST", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "index" : { "type" : "integer" } } }, "default" : [ { "isDefault" : true, "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact", "location" : "{baseUrl}/Consumer/metaAlias{spMetaAlias}", "index" : "0" }, { "isDefault" : false, "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "location" : "{baseUrl}/Consumer/metaAlias{spMetaAlias}", "index" : "1" }, { "isDefault" : false, "binding" : "urn:oasis:names:tc:SAML:2.0:bindings:PAOS", "location" : "{baseUrl}/Consumer/ECP/metaAlias{spMetaAlias}", "index" : "2" } ] } } } } }, "advanced" : { "propertyOrder" : 3, "traverseObject" : true, "type" : "object", "title" : "Advanced", "properties" : { "saeConfiguration" : { "traverseObject" : true, "title" : "SAE Configuration", "type" : "object", "properties" : { "spUrl" : { "attributeKey" : "saeSPUrl", "title" : "SP URL", "description" : "URL endpoint on Service Provider that can handle SAE requests. If this URL is empty (not configured), SAE single sign-on will not be enabled. Normal samlv2 single sign-on response will be sent to SP", "type" : "string", "default" : "{baseUrl}/spsaehandler/metaAlias{spMetaAlias}" }, "spLogoutUrl" : { "attributeKey" : "saeSPLogoutUrl", "title" : "SP Logout URL", "description" : "URL endpoint on the Service Provider that can handle SAE global logout requests", "type" : "string" }, "applicationSecurityConfiguration" : { "attributeKey" : { "value" : "saeAppSecretList", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.ApplicationSecurityConfigItemMapper" }, "title" : "Application Security Configuration", "type" : "array", "items" : { "type" : "object", "properties" : { "url" : { "title" : "URL", "propertyOrder" : 0, "type" : "string" }, "type" : { "title" : "Type", "propertyOrder" : 1, "type" : "string" }, "pubKeyAlias" : { "title" : "Public Key Alias", "propertyOrder" : 2, "type" : "string" }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "propertyOrder" : 3, "type" : "string" }, "encryptionKeyStrength" : { "title" : "Encryption Key Strength", "propertyOrder" : 4, "type" : "string" }, "secret" : { "title" : "Secret", "propertyOrder" : 5, "type" : "string" } }, "required" : [ "url", "secret" ] } } } }, "ecpConfiguration" : { "traverseObject" : true, "title" : "ECP Configuration", "type" : "object", "properties" : { "ecpRequestIdpListFinderImpl" : { "attributeKey" : "ECPRequestIDPListFinderImpl", "title" : "Request IDP List Finder Implementation", "description" : "Implementation class of the IDP list finder SPI. This returns a list of preferred IDPs trusted by the ECP", "type" : "string", "default" : "com.sun.identity.saml2.plugins.ECPIDPFinder" }, "ecpRequestIdpListGetComplete" : { "attributeKey" : "ECPRequestIDPListGetComplete", "title" : "Request IDP List Get Complete", "description" : "Specify an URI reference that can be used to retrieve the complete IDP list if the IDPList element is not complete", "type" : "string" }, "ecpRequestIdpList" : { "attributeKey" : "ECPRequestIDPList", "title" : "Request IDP List", "description" : "Defines a list of IDPs for the ECP to contact. This is used by the default implementation of the IDP Finder", "type" : "array", "items" : { "type" : "string" } } } }, "idpProxy" : { "traverseObject" : true, "title" : "IDP Proxy", "type" : "object", "properties" : { "enableIdpProxy" : { "attributeKey" : "enableIDPProxy", "title" : "IDP Proxy enabled", "description" : "Enable IDP Proxy if not enabled", "type" : "boolean", "default" : false }, "useIntroductionForIdpProxy" : { "attributeKey" : "useIntroductionForIDPProxy", "title" : "Introduction enabled", "type" : "boolean", "default" : false }, "idpProxyCount" : { "attributeKey" : "idpProxyCount", "title" : "Proxy Count", "description" : "Number of IDP proxies that the SP can have", "type" : "integer", "default" : 0 }, "idpProxyList" : { "attributeKey" : "idpProxyList", "description" : "A list of preferred IDPs that the SP would proxy to", "title" : "IDP Proxy List", "type" : "array", "items" : { "type" : "string" } } } }, "spSessionSyncEnabled" : { "attributeKey" : "spSessionSyncEnabled", "title" : "Session Synchronization", "description" : "If this is enabled, when a session times out, the Service Provider notifies all Identity Providers to log out. A session may time out, for example, when max-idle time or max-session time is reached.", "type" : "boolean", "default" : false }, "relayStateUrlList" : { "traverseObject" : true, "title" : "Relay State URL List", "type" : "object", "properties" : { "relayStateUrlList" : { "attributeKey" : "relayStateUrlList", "title" : "Relay State URL List", "type" : "array", "items" : { "type" : "string" } } } } } } } } }, "required" : [ "entityId" ], "$id" : "https://www.forgerock.com/hostedSaml2EntityProvider.schema.json" }