SOAPSecurityTokenServices
Realm Operations
The SOAP STS endpoint is responsible for storing the configuration of instances of REST Security Token Services (STS). Available operations are create, read, update, delete, query, schema and template.
Resource path:
/realm-config/services/sts/soap-sts
Resource version: 1.0
create
Usage
am> create SOAPSecurityTokenServices --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "soapStsSaml2" : { "type" : "object", "title" : "SAML2 Token", "propertyOrder" : 3, "properties" : { "saml2-custom-conditions-provider-class-name" : { "title" : "Custom Conditions Provider Class Name ", "description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider interface, and specify the class name of the implementation here.", "propertyOrder" : 2800, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-encryption-key-alias" : { "title" : "Encryption Key Alias", "description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.", "propertyOrder" : 4400, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-signature-key-password" : { "title" : "Signature Key Password", "description" : "", "propertyOrder" : 4600, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "saml2-signature-key-alias" : { "title" : "Signature Key Alias", "description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.", "propertyOrder" : 4500, "required" : true, "type" : "string", "exampleValue" : "" }, "saml2-key-transport-algorithm" : { "title" : "Key Transport Algorithm", "description" : "This setting controls the encryption algorithm used to encrypt the symmetric encryption key when SAML2 token encryption is enabled. Valid values include: <pre>http://www.w3.org/2001/04/xmlenc#rsa-1_5</pre>, <pre>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</pre>, and <pre>http://www.w3.org/2009/xmlenc11#rsa-oaep</pre>", "propertyOrder" : 4060, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-attribute-map" : { "title" : "Attribute Mappings", "description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores.<br>Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME.</code> If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'.<br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>", "propertyOrder" : 3500, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "saml2-custom-attribute-statements-provider-class-name" : { "title" : "Custom AttributeStatements Class Name", "description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 3100, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-keystore-filename" : { "title" : "KeystorePath", "description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.", "propertyOrder" : 4100, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-encrypt-nameid" : { "title" : "Encrypt NameID", "description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.", "propertyOrder" : 3900, "required" : false, "type" : "boolean", "exampleValue" : "" }, "saml2-encrypt-assertion" : { "title" : "Encrypt Assertion", "description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.", "propertyOrder" : 3700, "required" : false, "type" : "boolean", "exampleValue" : "" }, "saml2-custom-authn-context-mapper-class-name" : { "title" : "Custom Authentication Context Class Name", "description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.soap.token.provider.saml2.DefaultSaml2XmlTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.soap.token.provider.saml2.Saml2XmlTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.", "propertyOrder" : 3400, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-custom-subject-provider-class-name" : { "title" : "Custom Subject Provider Class Name ", "description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider interface, and specify the class name of the implementation here.", "propertyOrder" : 2900, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-sp-entity-id" : { "title" : "Service Provider Entity Id", "description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "saml2-sp-acs-url" : { "title" : "Service Provider Assertion Consumer Service Url", "description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.", "propertyOrder" : 2500, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-keystore-password" : { "title" : "Keystore Password", "description" : "", "propertyOrder" : 4200, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "issuer-name" : { "title" : "SAML2 issuer Id", "description" : "", "propertyOrder" : 2300, "required" : true, "type" : "string", "exampleValue" : "" }, "saml2-encrypt-attributes" : { "title" : "Encrypt Attributes", "description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.", "propertyOrder" : 3800, "required" : false, "type" : "boolean", "exampleValue" : "" }, "saml2-name-id-format" : { "title" : "NameIdFormat", "description" : "", "propertyOrder" : 2600, "required" : true, "type" : "string", "exampleValue" : "" }, "saml2-sign-assertion" : { "title" : "Sign Assertion", "description" : "", "propertyOrder" : 3600, "required" : false, "type" : "boolean", "exampleValue" : "" }, "saml2-token-lifetime-seconds" : { "title" : "Token Lifetime (Seconds)", "description" : "", "propertyOrder" : 2700, "required" : false, "type" : "integer", "exampleValue" : "" }, "saml2-custom-authz-decision-statements-provider-class-name" : { "title" : "Custom Authorization Decision Statements Class Name", "description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 3200, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-encryption-algorithm" : { "title" : "Encryption Algorithm", "description" : "Algorithm used to encrypt generated assertions.", "propertyOrder" : 4000, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-custom-attribute-mapper-class-name" : { "title" : "Custom Attribute Mapper Class Name", "description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 3300, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-custom-authentication-statements-provider-class-name" : { "title" : "Custom AuthenticationStatements Class Name", "description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 3000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "soapStsOidc" : { "type" : "object", "title" : "OpenID Connect Token ", "propertyOrder" : 4, "properties" : { "oidc-keystore-password" : { "title" : "KeyStore Password", "description" : "", "propertyOrder" : 5200, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "oidc-claim-map" : { "title" : "Claim Map", "description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.", "propertyOrder" : 6100, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "oidc-signature-algorithm" : { "title" : "Token Signature Algorithm", "description" : "Algorithm used to sign issued OIDC tokens", "propertyOrder" : 4900, "required" : true, "type" : "string", "exampleValue" : "" }, "oidc-keystore-location" : { "title" : "KeyStore Location", "description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.", "propertyOrder" : 5100, "required" : true, "type" : "string", "exampleValue" : "" }, "oidc-public-key-reference-type" : { "title" : "Public Key Reference Type", "description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt", "propertyOrder" : 5000, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-authorized-party" : { "title" : "Authorized Party ", "description" : "Optional. Will be set in the azp claim", "propertyOrder" : 6000, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-client-secret" : { "title" : "Client Secret", "description" : "For HMAC-signed tokens, the client secret used as the HMAC key<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.", "propertyOrder" : 5700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "oidc-signature-key-alias" : { "title" : "KeyStore Signing Key Alias", "description" : "For RSA-signed tokens, corresponds to the private key of the OIDC OP. Will be used to sign assertions.", "propertyOrder" : 5400, "required" : true, "type" : "string", "exampleValue" : "" }, "oidc-audience" : { "title" : "Issued Tokens Audience", "description" : "Contents will be set in the aud claim", "propertyOrder" : 5900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidc-token-lifetime-seconds" : { "title" : "Token Lifetime (Seconds)", "description" : "", "propertyOrder" : 4800, "required" : false, "type" : "integer", "exampleValue" : "" }, "oidc-custom-authn-method-references-mapper-class" : { "title" : "Custom Authn Methods References Mapper Class", "description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 6400, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-custom-authn-context-mapper-class" : { "title" : "Custom Authn Context Mapper Class", "description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 6300, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-custom-claim-mapper-class" : { "title" : "Custom Claim Mapper Class", "description" : "", "propertyOrder" : 6200, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-issuer" : { "title" : "OpenID Connect Token Provider ID", "description" : "", "propertyOrder" : 4700, "required" : true, "type" : "string", "exampleValue" : "" }, "oidc-signature-key-password" : { "title" : "Signature Key Password", "description" : "", "propertyOrder" : 5500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" } } }, "soapStsDeployment" : { "type" : "object", "title" : "Deployment", "propertyOrder" : 1, "properties" : { "deployment-wsdl-location" : { "title" : "Wsdl File Referencing Security Policy Binding Selection", "description" : "Choose the SupportingToken type and corresponding SecurityPolicy binding which will protect your sts instance. This choice will determine the SecurityPolicy bindings in the wsdl file defining the WS-Trust API<br><br>Note that the SupportingToken type selected must correspond to the Security Policy Validated Token selection. Note if a custom wsdl file is chose, the user is responsible for providing a properly formatted wsdl file. See documentation for details.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "delegation-custom-token-handlers" : { "title" : "Custom Delegation Handlers ", "description" : "If delegation relationships are supported, the class names soap-sts .war file classpath resident implementations of the <code>org.apache.cxf.sts.token.delegation.TokenDelegationHandler</code> interface can be specified here.<br><br>Custom TokenDelegationHandler implementations will be invoked to validate the potentially custom token element included in the ActAs/OnBehalfOf element in the RequestSecurityToken invocation. Note that a TokenDelegationHandler does not need to be supplied to validate username or OpenAM session tokens. The validation of these tokens are supported out-of-the-box by selecting them in the Delegated Token Types list.", "propertyOrder" : 1300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "deployment-custom-wsdl-location" : { "title" : "Custom wsdl File", "description" : "The location (on soap-sts .war accessible filesystem or soap-sts .war classpath) of the custom wsdl file.<br><br>If the signing and/or encryption of the request and/or response messages specified in the SecurityPolicy bindings of standard soap-sts wdsl files must be customized, specify the name of the customized wsdl file here. See documentation for additional details.", "propertyOrder" : 800, "required" : false, "type" : "string", "exampleValue" : "" }, "deployment-custom-service-port" : { "title" : "Custom Port QName", "description" : "The name attribute of the wsdl:Port element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_port_name</code>", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "deployment-am-url" : { "title" : "OpenAM URL", "description" : "Set to URL of the OpenAM instance or site deployment.<br><br>The OpenAM deployment will be consulted for published soap-sts instances, and to authenticate and issue tokens.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "delegation-relationship-supported" : { "title" : "Delegation Relationships Supported", "description" : "Check if the RST will include ActAs/OnBehalfOf token elements<br><br>If SAML2 assertions with SenderVouches SubjectConfirmation are to be issued, this box must be checked.", "propertyOrder" : 1100, "required" : false, "type" : "boolean", "exampleValue" : "" }, "deployment-custom-service-name" : { "title" : "Custom Service QName", "description" : "The name attribute of the wsdl:Service element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_name</code>", "propertyOrder" : 900, "required" : false, "type" : "string", "exampleValue" : "" }, "deployment-auth-target-mappings" : { "title" : "Authentication Target Mappings", "description" : "Configuration of consumption of OpenAM's rest-authN<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <r>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.", "propertyOrder" : 500, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "delegation-validated-token-types" : { "title" : "Delegated Token Types", "description" : "If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here. If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here.<br><br>If a value is selected in this list, then no Custom Delegation Handlers must be specified. The true/false value indicates whether the interim OpenAM session, created as part of delegated token validation, should be invalidated following token creation.", "propertyOrder" : 1200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "soapStsSoap" : { "type" : "object", "title" : "Soap Keystore", "propertyOrder" : 2, "properties" : { "soap-signature-key-alias" : { "title" : "Signature Key Alias", "description" : "Alias of key used to sign messages from STS. Necessary for asymmetric binding.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "soap-keystore-filename" : { "title" : "Soap Keystore Location", "description" : "The location of the keystore which contains the key state necessary for the CXF and WSS4j runtime to enforce the SecurityPolicy bindings associated with this STS instance.", "propertyOrder" : 1400, "required" : false, "type" : "string", "exampleValue" : "" }, "soap-keystore-password" : { "title" : "Keystore Password", "description" : "", "propertyOrder" : 1500, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "soap-encryption-key-password" : { "title" : "Decryption Key Password", "description" : "", "propertyOrder" : 2100, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "soap-signature-key-password" : { "title" : "Signature Key Password", "description" : "", "propertyOrder" : 1800, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "soap-encryption-key-alias" : { "title" : "Decryption Key Alias", "description" : "Alias of key used by the STS to decrypt client messages in the asymmetric binding, and to decrypt the client-generated symmetric key in the symmetric binding. Corresponds to an STS PrivateKeyEntry.", "propertyOrder" : 2000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "soapStsGeneral" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "security-policy-validated-token-config" : { "title" : "Security Policy Validated Token", "description" : "Determines the SupportingToken type in the WS-SecurityPolicy bindings in the soap STS' wsdl, and whether the interim OpenAM session resulting from successful SupportingToken validation, should be invalidated following token issue.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "persist-issued-tokens-in-cts" : { "title" : "Persist Issued Tokens in Core Token Store", "description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.", "propertyOrder" : 100, "required" : false, "type" : "boolean", "exampleValue" : "" }, "issued-token-types" : { "title" : "Issued Tokens", "description" : "Determines which tokens this soap STS instance will issue", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }
delete
Usage
am> delete SOAPSecurityTokenServices --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action SOAPSecurityTokenServices --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action SOAPSecurityTokenServices --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action SOAPSecurityTokenServices --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query SOAPSecurityTokenServices --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read SOAPSecurityTokenServices --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update SOAPSecurityTokenServices --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "soapStsSaml2" : { "type" : "object", "title" : "SAML2 Token", "propertyOrder" : 3, "properties" : { "saml2-custom-conditions-provider-class-name" : { "title" : "Custom Conditions Provider Class Name ", "description" : "If the Conditions of the issued SAML2 assertion need to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider interface, and specify the class name of the implementation here.", "propertyOrder" : 2800, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-encryption-key-alias" : { "title" : "Encryption Key Alias", "description" : "This alias corresponds to the SP's x509 Certificate identified by the SP Entity ID for this rest-sts instance. Not necessary unless assertions are to be encrypted.", "propertyOrder" : 4400, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-signature-key-password" : { "title" : "Signature Key Password", "description" : "", "propertyOrder" : 4600, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "saml2-signature-key-alias" : { "title" : "Signature Key Alias", "description" : "Corresponds to the private key of the IdP. Will be used to sign assertions. Value can remain unspecified unless assertions are signed.", "propertyOrder" : 4500, "required" : true, "type" : "string", "exampleValue" : "" }, "saml2-key-transport-algorithm" : { "title" : "Key Transport Algorithm", "description" : "This setting controls the encryption algorithm used to encrypt the symmetric encryption key when SAML2 token encryption is enabled. Valid values include: <pre>http://www.w3.org/2001/04/xmlenc#rsa-1_5</pre>, <pre>http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</pre>, and <pre>http://www.w3.org/2009/xmlenc11#rsa-oaep</pre>", "propertyOrder" : 4060, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-attribute-map" : { "title" : "Attribute Mappings", "description" : "Contains the mapping of assertion attribute names (Map keys) to local OpenAM attributes (Map values) in configured data stores.<br>Format: <code>assertion_attr_name=ldap_attr_name</code><br><br>The DefaultAttributeMapper looks at profile attributes in configured data stores, or in Session properties. The keys will define the name of the attributes included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state corresponding to the map value will define the value corresponding to this attribute name. The keys can have the format <code>[NameFomatURI|]SAML ATTRIBUTE NAME.</code> If the attribute value is enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be followed by ';binary'.<br>Examples: <ul><li>EmailAddress=mail</li><li>Address=postaladdress</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|urn:mace:dir:attribute-def:cn=cn</li><li>partnerID=\"staticPartnerIDValue\"</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|nameID=\"staticNameIDValue\"</li><li>photo=photo;binary</li><li>urn:oasis:names:tc:SAML:2.0:attrname-format:uri|photo=photo;binary</li></ul>", "propertyOrder" : 3500, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "saml2-custom-attribute-statements-provider-class-name" : { "title" : "Custom AttributeStatements Class Name", "description" : "If the AttributeStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeStatementsProvider</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 3100, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-keystore-filename" : { "title" : "KeystorePath", "description" : "Path to keystore<br><br>Provide either the full filesystem path to a filesystem resident keystore, or a classpath-relative path to a keystore bundled in the OpenAM .war file. This keystore contains the IdP public/private keys and SP public key for signed and/or encrypted assertions. If assertions are neither signed nor encrypted, these values need not be specified.", "propertyOrder" : 4100, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-encrypt-nameid" : { "title" : "Encrypt NameID", "description" : "Check this box if the assertion NameID should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.", "propertyOrder" : 3900, "required" : false, "type" : "boolean", "exampleValue" : "" }, "saml2-encrypt-assertion" : { "title" : "Encrypt Assertion", "description" : "Check this box if the entire assertion should be encrypted. If this box is checked, the Encrypt NameID and Encrypt Attributes boxes cannot be checked.", "propertyOrder" : 3700, "required" : false, "type" : "boolean", "exampleValue" : "" }, "saml2-custom-authn-context-mapper-class-name" : { "title" : "Custom Authentication Context Class Name", "description" : "If the AuthnContext mapping implemented by the <code>org.forgerock.openam.sts.soap.token.provider.saml2.DefaultSaml2XmlTokenAuthnContextMapper</code> class needs to be customized, implement the <code>org.forgerock.openam.sts.soap.token.provider.saml2.Saml2XmlTokenAuthnContextMapper</code> interface, and specify the name of the implementation here.", "propertyOrder" : 3400, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-custom-subject-provider-class-name" : { "title" : "Custom Subject Provider Class Name ", "description" : "If the Subject of the issued SAML2 assertion needs to be customized, implement the org.forgerock.openam.sts.tokengeneration.saml2.statements.SubjectProvider interface, and specify the class name of the implementation here.", "propertyOrder" : 2900, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-sp-entity-id" : { "title" : "Service Provider Entity Id", "description" : "Values will be used to populate the Audiences of the AudienceRestriction element of the Conditions element. This value is required when issuing Bearer assertions. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details.", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "saml2-sp-acs-url" : { "title" : "Service Provider Assertion Consumer Service Url", "description" : "When issuing bearer assertions, the recipient attribute of the SubjectConfirmation element must be set to the Service Provider Assertion Consumer Service Url. See section 4.1.4.2 of Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 for details. Value required when issuing Bearer assertions.", "propertyOrder" : 2500, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-keystore-password" : { "title" : "Keystore Password", "description" : "", "propertyOrder" : 4200, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "issuer-name" : { "title" : "SAML2 issuer Id", "description" : "", "propertyOrder" : 2300, "required" : true, "type" : "string", "exampleValue" : "" }, "saml2-encrypt-attributes" : { "title" : "Encrypt Attributes", "description" : "Check this box if the assertion Attributes should be encrypted. If this box is checked, the Encrypt Assertion box cannot be checked.", "propertyOrder" : 3800, "required" : false, "type" : "boolean", "exampleValue" : "" }, "saml2-name-id-format" : { "title" : "NameIdFormat", "description" : "", "propertyOrder" : 2600, "required" : true, "type" : "string", "exampleValue" : "" }, "saml2-sign-assertion" : { "title" : "Sign Assertion", "description" : "", "propertyOrder" : 3600, "required" : false, "type" : "boolean", "exampleValue" : "" }, "saml2-token-lifetime-seconds" : { "title" : "Token Lifetime (Seconds)", "description" : "", "propertyOrder" : 2700, "required" : false, "type" : "integer", "exampleValue" : "" }, "saml2-custom-authz-decision-statements-provider-class-name" : { "title" : "Custom Authorization Decision Statements Class Name", "description" : "If the AuthorizationDecisionStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthzDecisionStatementsProvider</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 3200, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-encryption-algorithm" : { "title" : "Encryption Algorithm", "description" : "Algorithm used to encrypt generated assertions.", "propertyOrder" : 4000, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-custom-attribute-mapper-class-name" : { "title" : "Custom Attribute Mapper Class Name", "description" : "If the class implementing attribute mapping for attributes contained in the issued SAML2 assertion needs to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AttributeMapper</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 3300, "required" : false, "type" : "string", "exampleValue" : "" }, "saml2-custom-authentication-statements-provider-class-name" : { "title" : "Custom AuthenticationStatements Class Name", "description" : "If the AuthenticationStatements of the issued SAML2 assertion need to be customized, implement the <code>org.forgerock.openam.sts.tokengeneration.saml2.statements.AuthenticationStatementsProvider</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 3000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "soapStsOidc" : { "type" : "object", "title" : "OpenID Connect Token ", "propertyOrder" : 4, "properties" : { "oidc-keystore-password" : { "title" : "KeyStore Password", "description" : "", "propertyOrder" : 5200, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "oidc-claim-map" : { "title" : "Claim Map", "description" : "Contains the mapping of OIDC token claim names (Map keys) to local OpenAM attributes (Map values) in configured data stores. Format: <code>claim_name=attribute_name</code><br><br>The keys in the map will be claim entries in the issued OIDC token, and the value of these claims will be the principal attribute state resulting from LDAP datastore lookup of the map values. If no values are returned from the LDAP datastore lookup of the attribute corresponding to the map value, no claim will be set in the issued OIDC token.", "propertyOrder" : 6100, "required" : false, "patternProperties" : { ".*" : { "type" : "string" } }, "type" : "object", "exampleValue" : "" }, "oidc-signature-algorithm" : { "title" : "Token Signature Algorithm", "description" : "Algorithm used to sign issued OIDC tokens", "propertyOrder" : 4900, "required" : true, "type" : "string", "exampleValue" : "" }, "oidc-keystore-location" : { "title" : "KeyStore Location", "description" : "For RSA-signed tokens, the filesystem or classpath location of the KeyStore containing signing key entry<br><br>For RSA-signed tokens, the KeyStore location, password, signing-key alias, and signing key password must be specified. The client secret is not required for RSA-signed tokens.", "propertyOrder" : 5100, "required" : true, "type" : "string", "exampleValue" : "" }, "oidc-public-key-reference-type" : { "title" : "Public Key Reference Type", "description" : "For tokens signed with RSA, how should corresponding public key be referenced in the issued jwt", "propertyOrder" : 5000, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-authorized-party" : { "title" : "Authorized Party ", "description" : "Optional. Will be set in the azp claim", "propertyOrder" : 6000, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-client-secret" : { "title" : "Client Secret", "description" : "For HMAC-signed tokens, the client secret used as the HMAC key<br><br>For HMAC-signed tokens, the KeyStore location, password, signature key alias and password configurations are not required.", "propertyOrder" : 5700, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" }, "oidc-signature-key-alias" : { "title" : "KeyStore Signing Key Alias", "description" : "For RSA-signed tokens, corresponds to the private key of the OIDC OP. Will be used to sign assertions.", "propertyOrder" : 5400, "required" : true, "type" : "string", "exampleValue" : "" }, "oidc-audience" : { "title" : "Issued Tokens Audience", "description" : "Contents will be set in the aud claim", "propertyOrder" : 5900, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "oidc-token-lifetime-seconds" : { "title" : "Token Lifetime (Seconds)", "description" : "", "propertyOrder" : 4800, "required" : false, "type" : "integer", "exampleValue" : "" }, "oidc-custom-authn-method-references-mapper-class" : { "title" : "Custom Authn Methods References Mapper Class", "description" : "If issued OIDC tokens are to contain amr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthMethodReferencesMapper</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 6400, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-custom-authn-context-mapper-class" : { "title" : "Custom Authn Context Mapper Class", "description" : "If issued OIDC tokens are to contain acr claims, implement the <code>org.forgerock.openam.sts.rest.token.provider.oidc.OpenIdConnectTokenAuthnContextMapper</code> interface, and specify the class name of the implementation here.", "propertyOrder" : 6300, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-custom-claim-mapper-class" : { "title" : "Custom Claim Mapper Class", "description" : "", "propertyOrder" : 6200, "required" : false, "type" : "string", "exampleValue" : "" }, "oidc-issuer" : { "title" : "OpenID Connect Token Provider ID", "description" : "", "propertyOrder" : 4700, "required" : true, "type" : "string", "exampleValue" : "" }, "oidc-signature-key-password" : { "title" : "Signature Key Password", "description" : "", "propertyOrder" : 5500, "required" : true, "type" : "string", "format" : "password", "exampleValue" : "" } } }, "soapStsDeployment" : { "type" : "object", "title" : "Deployment", "propertyOrder" : 1, "properties" : { "deployment-wsdl-location" : { "title" : "Wsdl File Referencing Security Policy Binding Selection", "description" : "Choose the SupportingToken type and corresponding SecurityPolicy binding which will protect your sts instance. This choice will determine the SecurityPolicy bindings in the wsdl file defining the WS-Trust API<br><br>Note that the SupportingToken type selected must correspond to the Security Policy Validated Token selection. Note if a custom wsdl file is chose, the user is responsible for providing a properly formatted wsdl file. See documentation for details.", "propertyOrder" : 700, "required" : true, "type" : "string", "exampleValue" : "" }, "delegation-custom-token-handlers" : { "title" : "Custom Delegation Handlers ", "description" : "If delegation relationships are supported, the class names soap-sts .war file classpath resident implementations of the <code>org.apache.cxf.sts.token.delegation.TokenDelegationHandler</code> interface can be specified here.<br><br>Custom TokenDelegationHandler implementations will be invoked to validate the potentially custom token element included in the ActAs/OnBehalfOf element in the RequestSecurityToken invocation. Note that a TokenDelegationHandler does not need to be supplied to validate username or OpenAM session tokens. The validation of these tokens are supported out-of-the-box by selecting them in the Delegated Token Types list.", "propertyOrder" : 1300, "required" : false, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "deployment-custom-wsdl-location" : { "title" : "Custom wsdl File", "description" : "The location (on soap-sts .war accessible filesystem or soap-sts .war classpath) of the custom wsdl file.<br><br>If the signing and/or encryption of the request and/or response messages specified in the SecurityPolicy bindings of standard soap-sts wdsl files must be customized, specify the name of the customized wsdl file here. See documentation for additional details.", "propertyOrder" : 800, "required" : false, "type" : "string", "exampleValue" : "" }, "deployment-custom-service-port" : { "title" : "Custom Port QName", "description" : "The name attribute of the wsdl:Port element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_port_name</code>", "propertyOrder" : 1000, "required" : false, "type" : "string", "exampleValue" : "" }, "deployment-am-url" : { "title" : "OpenAM URL", "description" : "Set to URL of the OpenAM instance or site deployment.<br><br>The OpenAM deployment will be consulted for published soap-sts instances, and to authenticate and issue tokens.", "propertyOrder" : 600, "required" : true, "type" : "string", "exampleValue" : "" }, "delegation-relationship-supported" : { "title" : "Delegation Relationships Supported", "description" : "Check if the RST will include ActAs/OnBehalfOf token elements<br><br>If SAML2 assertions with SenderVouches SubjectConfirmation are to be issued, this box must be checked.", "propertyOrder" : 1100, "required" : false, "type" : "boolean", "exampleValue" : "" }, "deployment-custom-service-name" : { "title" : "Custom Service QName", "description" : "The name attribute of the wsdl:Service element referenced in the Custom wsdl File, in QName format.<br><br>Example: <code>{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}service_name</code>", "propertyOrder" : 900, "required" : false, "type" : "string", "exampleValue" : "" }, "deployment-auth-target-mappings" : { "title" : "Authentication Target Mappings", "description" : "Configuration of consumption of OpenAM's rest-authN<br><br>Each deployed STS is configured with the authentication targets for each input token type for each supported token transformation. For example, if the transformation OPENIDCONNECT->SAML2 is supported, the STS instance must be configured with information specifying which elements of the OpenAM restful authentication context needs to be consumed to validate the OPENIDCONNECT token. The elements of the configuration tuple are separated by '|'. <br>The first element is the input token type in the token transform: i.e. X509, OPENIDCONNECT, USERNAME, or OPENAM. The second element is the authentication target - i.e. either 'module' or 'service', and the third element is the name of the authentication module or service. The fourth (optional) element provides the STS authentication context information about the to-be-consumed authentication context. <r>When transforming OpenID Connect Id tokens, the OpenID Connect authentication module must be consumed, and thus a deployed rest-sts instance must be configured with the name of the header/cookie element where the OpenID Connect Id token will be placed. For this example, the following string would define these configurations: <code>OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token</code>. In this case, 'oidc' is the name of the OpenID Connect authentication module created to authenticate OpenID Connect tokens. <br>When transforming a X509 Certificate, the Certificate module must be consumed, and the published rest-sts instance must be configured with the name of the Certificate module (or the service containing the module), and the header name configured for the Certificate module corresponding to where the Certificate module can expect to find the to-be-validated Certificate. The following string would define these configurations: <code>X509|module|cert_module|x509_token_auth_target_header_key=client_cert</code>. In this case 'cert_module' is the name of the Certificate module, and client_cert is the header name where Certificate module has been configured to find the client's Certificate.", "propertyOrder" : 500, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "delegation-validated-token-types" : { "title" : "Delegated Token Types", "description" : "If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here. If delegation relationships are supported, out-of-the-box validation support for the validation of username and OpenAM session tokens included as the ActAs/OnBehalfOf element is configured here.<br><br>If a value is selected in this list, then no Custom Delegation Handlers must be specified. The true/false value indicates whether the interim OpenAM session, created as part of delegated token validation, should be invalidated following token creation.", "propertyOrder" : 1200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "soapStsSoap" : { "type" : "object", "title" : "Soap Keystore", "propertyOrder" : 2, "properties" : { "soap-signature-key-alias" : { "title" : "Signature Key Alias", "description" : "Alias of key used to sign messages from STS. Necessary for asymmetric binding.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "soap-keystore-filename" : { "title" : "Soap Keystore Location", "description" : "The location of the keystore which contains the key state necessary for the CXF and WSS4j runtime to enforce the SecurityPolicy bindings associated with this STS instance.", "propertyOrder" : 1400, "required" : false, "type" : "string", "exampleValue" : "" }, "soap-keystore-password" : { "title" : "Keystore Password", "description" : "", "propertyOrder" : 1500, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "soap-encryption-key-password" : { "title" : "Decryption Key Password", "description" : "", "propertyOrder" : 2100, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "soap-signature-key-password" : { "title" : "Signature Key Password", "description" : "", "propertyOrder" : 1800, "required" : false, "type" : "string", "format" : "password", "exampleValue" : "" }, "soap-encryption-key-alias" : { "title" : "Decryption Key Alias", "description" : "Alias of key used by the STS to decrypt client messages in the asymmetric binding, and to decrypt the client-generated symmetric key in the symmetric binding. Corresponds to an STS PrivateKeyEntry.", "propertyOrder" : 2000, "required" : false, "type" : "string", "exampleValue" : "" } } }, "soapStsGeneral" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "security-policy-validated-token-config" : { "title" : "Security Policy Validated Token", "description" : "Determines the SupportingToken type in the WS-SecurityPolicy bindings in the soap STS' wsdl, and whether the interim OpenAM session resulting from successful SupportingToken validation, should be invalidated following token issue.", "propertyOrder" : 300, "required" : true, "items" : { "type" : "string" }, "minItems" : 1, "type" : "array", "exampleValue" : "" }, "persist-issued-tokens-in-cts" : { "title" : "Persist Issued Tokens in Core Token Store", "description" : "Necessary to support token validation and cancellation<br><br>Validation of STS-issued tokens will involve determining whether the token has been issued, has not expired, and has not been cancelled. Token cancellation involves removing the record of this token from the CTS. Thus CTS persistence of STS-issued tokens is required to support these features.", "propertyOrder" : 100, "required" : false, "type" : "boolean", "exampleValue" : "" }, "issued-token-types" : { "title" : "Issued Tokens", "description" : "Determines which tokens this soap STS instance will issue", "propertyOrder" : 200, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } } } }