RemoteSaml2EntityProvider
Realm Operations
Allows the management of remote SAML2 entity providers.
Resource path:
/realm-config/saml2/remote
Resource version: 1.0
delete
Removes the SAML2 entity provider from the configuration including all of its associated roles.
Usage
am> delete RemoteSaml2EntityProvider --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
importEntity
Import the standard metadata of a remote entity provider.
Usage
am> action RemoteSaml2EntityProvider --realm Realm --body body --actionName importEntity
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-04/schema#", "description" : "The JSON schema for importEntity action requests.", "type" : "object", "title" : "Import remote entity provider request", "properties" : { "standardMetadata" : { "type" : "string", "title" : "Standard Metadata", "description" : "The standard SAML metadata for the remote entity provider. The value should be Base64url encoded." } }, "required" : [ "standardMetadata" ] }
read
Returns the roles of the SAML2 entity provider.
Usage
am> read RemoteSaml2EntityProvider --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Updates details of the SAML2 entity provider role.
Usage
am> update RemoteSaml2EntityProvider --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "$schema" : "http://json-schema.org/draft-07/schema#", "ignoredProperties" : [ "_id", "_rev" ], "description" : "This schema describes a remote SAML2 entity provider.", "title" : "SAML2 Remote Entity Provider", "type" : "object", "properties" : { "entityId" : { "type" : "string" }, "identityProvider" : { "title" : "Remote Identity Provider", "description" : "This schema describes a SAML2 remote identity provider.", "type" : "object", "traverseObject" : true, "properties" : { "assertionContent" : { "propertyOrder" : 0, "traverseObject" : true, "title" : "Assertion Content", "type" : "object", "properties" : { "signingAndEncryption" : { "traverseObject" : true, "title" : "Signing And Encryption", "type" : "object", "properties" : { "requestResponseSigning" : { "traverseObject" : true, "title" : "Request/Response Signing", "description" : "Select the checkbox for each request/response that should be signed", "type" : "object", "properties" : { "authenticationRequest" : { "attributePath" : { "value" : "/wantAuthnRequestsSigned" }, "title" : "Authentication Request", "type" : "boolean", "default" : false }, "artifactResolve" : { "attributeKey" : "wantArtifactResolveSigned", "title" : "Artifact Resolve", "type" : "boolean", "default" : false }, "logoutRequest" : { "attributeKey" : "wantLogoutRequestSigned", "title" : "Logout Request", "type" : "boolean", "default" : false }, "logoutResponse" : { "attributeKey" : "wantLogoutResponseSigned", "title" : "Logout Response", "type" : "boolean", "default" : false }, "manageNameIdRequest" : { "attributeKey" : "wantMNIRequestSigned", "title" : "Manage NameID Request", "type" : "boolean", "default" : false }, "manageNameIdResponse" : { "attributeKey" : "wantMNIResponseSigned", "title" : "Manage NameID Response", "type" : "boolean", "default" : false } }, "required" : [ "authenticationRequest", "artifactResolve", "logoutRequest", "logoutResponse", "manageNameIdRequest", "manageNameIdResponse" ] }, "encryption" : { "traverseObject" : true, "title" : "Encryption", "type" : "object", "properties" : { "nameIdEncryption" : { "attributeKey" : "wantNameIDEncrypted", "title" : "NameID Encryption", "type" : "boolean", "default" : false } }, "required" : [ "nameIdEncryption" ] }, "secretIdAndAlgorithms" : { "traverseObject" : true, "title" : "Algorithms", "type" : "object", "properties" : { "signingAlgorithm" : { "title" : "Signing Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.SigningAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ] } }, "digestAlgorithm" : { "title" : "Digest Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.DigestAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ] } }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "type" : "array", "attributeKey" : { "value" : "encryptionAlgorithms", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EncryptionAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ], "enumNames" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ] } } } } } }, "nameIdFormat" : { "traverseObject" : true, "title" : "NameID Format", "type" : "object", "properties" : { "nameIdFormatList" : { "description" : "List of NameID formats the requestor will use to contact. Order listed shows the order of preference", "title" : "NameID Format List", "attributePath" : { "value" : "/nameIDFormat" }, "type" : "array", "items" : { "type" : "string" }, "default" : [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" ] } } }, "secrets" : { "traverseObject" : true, "title" : "Secrets", "type" : "object", "properties" : { "secretIdIdentifier" : { "type" : "string", "attributeKey" : "secretIdIdentifier", "title" : "Secret Label Identifier", "description" : "This identifier determines the secret label for this entity provider when resolving secrets. For example when this value is set to \"demo\" and is used for a \"purpose\", the entity provider will use am.applications.federation.entity.providers.saml2.demo.purpose secret label to resolve the secret. When the secret label identifier for a given role is modified, the corresponding mappings are removed if they arenât referenced by other entities." } } }, "basicAuthentication" : { "traverseObject" : true, "description" : "Configure basic authentication setting for Soap based binding", "title" : "Basic Authentication", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "basicAuthOn", "title" : "Enabled", "type" : "boolean", "default" : false }, "userName" : { "attributeKey" : "basicAuthUser", "title" : "User Name", "type" : "string" }, "password" : { "title" : "Password", "attributeKey" : { "value" : "basicAuthPassword", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.PasswordMapper" }, "type" : "string", "format" : "password", "description" : "<strong>Note:</strong> This value is ignored if the value of the Secret Label Identifier is provided and a mapping exists for the secret label \n<code>am.applications.federation.entity.providers.saml2.demo.basicauth</code> to a secret in a secret store where \"demo\" is the value of the Secret Label Identifier in this example." } } }, "clientAuthentication" : { "traverseObject" : true, "title" : "Client Authentication", "description" : "Select the checkbox for each request that should send a client certificate", "type" : "object", "properties" : { "artifactResolveMTLS" : { "attributeKey" : "wantArtifactResolveMTLS", "title" : "Artifact Resolve", "description" : "Instructs the SP to send a client certificate along with the Artifact Resolve request.", "type" : "boolean", "default" : false } } } } }, "services" : { "propertyOrder" : 1, "traverseObject" : true, "title" : "Services", "type" : "object", "properties" : { "serviceAttributes" : { "type" : "object", "title" : "IDP Service Attributes", "traverseObject" : true, "properties" : { "artifactResolutionService" : { "title" : "Artifact Resolution Service", "type" : "array", "attributePath" : { "value" : "artifactResolutionService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.IndexedEndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } }, "singleLogoutService" : { "title" : "Single Logout Service", "type" : "array", "attributePath" : { "value" : "singleLogoutService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } }, "nameIdService" : { "title" : "Manage NameID Service", "type" : "array", "attributePath" : { "value" : "manageNameIDService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } }, "singleSignOnService" : { "title" : "Single SignOn Service", "type" : "array", "attributePath" : { "value" : "singleSignOnService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } } } }, "nameIdMapping" : { "title" : "NameID Mapping", "type" : "array", "attributePath" : { "value" : "nameIDMappingService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] } } } } } }, "serviceProvider" : { "title" : "Remote Service Provider", "description" : "This schema describes a SAML2 remote service provider.", "type" : "object", "traverseObject" : true, "properties" : { "assertionContent" : { "propertyOrder" : 0, "traverseObject" : true, "title" : "Assertion Content", "type" : "object", "properties" : { "signingAndEncryption" : { "traverseObject" : true, "title" : "Signing And Encryption", "type" : "object", "properties" : { "requestResponseSigning" : { "traverseObject" : true, "description" : "Select the checkbox for each request/response that should be signed", "title" : "Request/Response Signing", "type" : "object", "properties" : { "authenticationRequest" : { "attributePath" : { "value" : "/authnRequestsSigned" }, "title" : "Authentication Requests Signed", "type" : "boolean" }, "assertion" : { "attributePath" : "/wantAssertionsSigned", "title" : "Assertions Signed", "type" : "boolean" }, "postResponse" : { "attributeKey" : "wantPOSTResponseSigned", "title" : "POST Response Signed", "type" : "boolean" }, "artifactResponse" : { "attributeKey" : "wantArtifactResponseSigned", "title" : "Artifact Response Signed", "type" : "boolean" }, "logoutRequest" : { "attributeKey" : "wantLogoutRequestSigned", "title" : "Logout Request Signed", "type" : "boolean" }, "logoutResponse" : { "attributeKey" : "wantLogoutResponseSigned", "title" : "Logout Response Signed", "type" : "boolean" }, "manageNameIdRequest" : { "attributeKey" : "wantMNIRequestSigned", "title" : "Manage NameID Request Signed", "type" : "boolean" }, "manageNameIdResponse" : { "attributeKey" : "wantMNIResponseSigned", "title" : "Manage NameID Response Signed", "type" : "boolean" } } }, "encryption" : { "traverseObject" : true, "title" : "Encryption", "type" : "object", "properties" : { "attributeEncryption" : { "attributeKey" : "wantAttributeEncrypted", "title" : "Attribute Encryption", "type" : "boolean" }, "assertionEncryption" : { "attributeKey" : "wantAssertionEncrypted", "title" : "Assertion Encryption", "type" : "boolean" }, "nameIdEncryption" : { "attributeKey" : "wantNameIDEncrypted", "title" : "NameID Encryption", "type" : "boolean" } } }, "secretIdAndAlgorithms" : { "traverseObject" : true, "title" : "Algorithms", "type" : "object", "properties" : { "signingAlgorithm" : { "title" : "Signing Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.SigningAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512", "http://www.w3.org/2009/xmldsig11#dsa-sha256" ] } }, "digestAlgorithm" : { "title" : "Digest Algorithm", "type" : "array", "attributePath" : { "value" : "extensions", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.DigestAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ], "enumNames" : [ "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmlenc#sha512", "http://www.w3.org/2007/05/xmldsig-more#sha3-256", "http://www.w3.org/2007/05/xmldsig-more#sha3-384", "http://www.w3.org/2007/05/xmldsig-more#sha3-512" ] } }, "encryptionAlgorithm" : { "title" : "Encryption Algorithm", "type" : "array", "attributeKey" : { "value" : "encryptionAlgorithms", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EncryptionAlgorithmMapper" }, "items" : { "type" : "string", "enum" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ], "enumNames" : [ "http://www.w3.org/2009/xmlenc11#aes128-gcm", "http://www.w3.org/2009/xmlenc11#aes192-gcm", "http://www.w3.org/2009/xmlenc11#aes256-gcm", "http://www.w3.org/2001/04/xmlenc#aes128-cbc", "http://www.w3.org/2001/04/xmlenc#aes192-cbc", "http://www.w3.org/2001/04/xmlenc#aes256-cbc", "http://www.w3.org/2001/04/xmlenc#rsa-1_5", "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2009/xmlenc11#rsa-oaep" ] } } } } } }, "nameIdFormat" : { "traverseObject" : true, "title" : "NameID Format", "type" : "object", "properties" : { "nameIdFormatList" : { "description" : "List of NameID formats the requestor will use to contact. Order listed shows the order of preference", "title" : "NameID Format List", "attributePath" : { "value" : "/nameIDFormat" }, "type" : "array", "items" : { "type" : "string" }, "default" : [ "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName", "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos", "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" ] }, "nameIdValueMap" : { "attributeKey" : { "value" : "nameIDFormatMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.NameIdValueMapper" }, "description" : "Maps the NameID format to a user profile attribute, for example: <code>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail</code> or <code>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent=objectGUID;binary</code>. If the NameID format defined is used in the protocol, the profile attribute value will be used as the NameID value for the format in the Subject. The <code>;binary</code> flag is used to indicate that the profile attribute is binary and should be Base64 encoded when used as the NameID value. This mapping overrides the NameID Value Map on the IdP.", "title" : "NameID Value Map", "type" : "array", "items" : { "type" : "object", "properties" : { "key" : { "title" : "Key", "propertyOrder" : 0, "type" : "string" }, "value" : { "title" : "Value", "propertyOrder" : 1, "type" : "string" }, "binary" : { "title" : "Binary", "propertyOrder" : 2, "type" : "boolean", "default" : false } } } }, "disableNameIdPersistence" : { "attributeKey" : "spDoNotWriteFederationInfo", "title" : "Disable NameID persistence", "description" : "Instructs the hosted IdP to not persist the NameID into the User Data Store even if the NameID Format is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in the Assertion.", "type" : "boolean" } } }, "secrets" : { "traverseObject" : true, "title" : "Secrets", "type" : "object", "properties" : { "secretIdIdentifier" : { "type" : "string", "attributeKey" : "secretIdIdentifier", "title" : "Secret Label Identifier", "description" : "This identifier determines the secret label for this entity provider when resolving secrets. For example when this value is set to \"demo\" and is used for a \"purpose\", the entity provider will use am.applications.federation.entity.providers.saml2.demo.purpose secret label to resolve the secret. When the secret label identifier for a given role is modified, the corresponding mappings are removed if they arenât referenced by other entities." } } }, "basicAuthentication" : { "traverseObject" : true, "description" : "Configure basic authentication setting for Soap based binding", "title" : "Basic Authentication", "type" : "object", "properties" : { "enabled" : { "attributeKey" : "basicAuthOn", "title" : "Enabled", "type" : "boolean", "default" : false }, "userName" : { "attributeKey" : "basicAuthUser", "title" : "User Name", "type" : "string" }, "password" : { "title" : "Password", "attributeKey" : { "value" : "basicAuthPassword", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.PasswordMapper" }, "type" : "string", "format" : "password", "description" : "<strong>Note:</strong> This value is ignored if the value of the Secret Label Identifier is provided and a mapping exists for the secret label \n<code>am.applications.federation.entity.providers.saml2.demo.basicauth</code> to a secret in a secret store where \"demo\" is the value of the Secret Label Identifier in this example." } } } } }, "assertionProcessing" : { "propertyOrder" : 1, "traverseObject" : true, "title" : "Assertion Processing", "type" : "object", "properties" : { "attributeMapper" : { "traverseObject" : true, "title" : "Attribute Mapper", "type" : "object", "properties" : { "attributeMap" : { "title" : "Attribute Map", "description" : "This mapping is the configuration used by the Attribue Mapper. Mapping should be defined as SAML ATTRIBUTE NAME=PROFILE ATTRIBUTE NAME in assertion. Example: EmailAddress=mail, Address=postaladdress.", "type" : "array", "attributeKey" : { "value" : "attributeMap", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.AttributeMapMapper" }, "items" : { "type" : "object", "properties" : { "nameFormatUri" : { "title" : "Name Format Uri", "propertyOrder" : 0, "type" : "string" }, "samlAttribute" : { "title" : "SAML Attribute", "propertyOrder" : 1, "type" : "string" }, "localAttribute" : { "title" : "Local Attribute", "propertyOrder" : 2, "type" : "string" }, "binary" : { "title" : "Binary", "propertyOrder" : 3, "type" : "boolean", "default" : false } }, "required" : [ "samlAttribute", "localAttribute" ] } } } }, "responseArtifactMessageEncoding" : { "traverseObject" : true, "title" : "Artifact Message Encoding", "type" : "object", "properties" : { "encoding" : { "attributeKey" : { "value" : "responseArtifactMessageEncoding", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.MessageEncodingMapper" }, "title" : "Artifact Message Encoding", "type" : "string", "enum" : [ "URI", "FORM" ], "default" : "URI" } } } } }, "services" : { "propertyOrder" : 2, "traverseObject" : true, "title" : "Services", "type" : "object", "properties" : { "serviceAttributes" : { "traverseObject" : true, "title" : "SP Service Attributes", "type" : "object", "properties" : { "singleLogoutService" : { "title" : "Single Logout Service", "type" : "array", "attributePath" : { "value" : "singleLogoutService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "post" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "soap" : { "type" : "object", "properties" : { "location" : { "type" : "string" } }, "required" : [ "location" ] } }, "nameIdService" : { "title" : "Manage NameID Service", "type" : "array", "attributePath" : { "value" : "manageNameIDService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.EndpointMapper" }, "items" : { "type" : "object", "properties" : { "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:SOAP", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-REDIRECT", "HTTP-POST", "SOAP", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "responseLocation" : { "title" : "Response Location", "type" : "string" } }, "required" : [ "location" ] }, "soap" : { "type" : "object", "properties" : { "location" : { "type" : "string" } }, "required" : [ "location" ] } }, "assertionConsumerService" : { "attributePath" : { "value" : "assertionConsumerService", "mapper" : "org.forgerock.openam.federation.rest.schema.mappers.ExtendedIndexedEndpointMapper" }, "title" : "Assertion Consumer Service", "description" : "Location denotes the URL to accept the respective request type. Index denotes the index of the URL in the standard metadata", "type" : "array", "items" : { "type" : "object", "properties" : { "isDefault" : { "type" : "boolean" }, "binding" : { "title" : "Binding", "anyOf" : [ { "title" : "Predefined Binding", "type" : "string", "enum" : [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST", "urn:oasis:names:tc:SAML:2.0:bindings:PAOS" ], "enumNames" : [ "HTTP-Artifact", "HTTP-POST", "PAOS" ] }, { "title" : "Custom Binding", "type" : "string" } ] }, "location" : { "title" : "Location", "type" : "string" }, "index" : { "type" : "integer" } } } } } } } }, "advanced" : { "propertyOrder" : 3, "traverseObject" : true, "title" : "Advanced", "type" : "object", "properties" : { "skipEndpointValidationWhenSigned" : { "title" : "Skip Endpoint Validation For Signed Requests", "description" : "When enabled, AM will not attempt to verify the AssertionConsumerServiceURL value provided in the SAML AuthnRequest. This SP MUST also be configured to sign authentication requests", "type" : "boolean", "attributeKey" : "skipEndpointValidationWhenSigned" }, "saeConfiguration" : { "traverseObject" : true, "title" : "SAE Configuration", "type" : "object", "properties" : { "spUrl" : { "attributeKey" : "saeSPUrl", "title" : "SP URL", "description" : "URL endpoint on Service Provider that can handle SAE requests. If this URL is empty (not configured), SAE single sign-on will not be enabled. Normal samlv2 single sign-on response will be sent to SP", "type" : "string" }, "spLogoutUrl" : { "attributeKey" : "saeSPLogoutUrl", "title" : "SP Logout URL", "description" : "URL endpoint on the Service Provider that can handle SAE global logout requests", "type" : "string" } } }, "idpProxy" : { "traverseObject" : true, "title" : "IDP Proxy", "type" : "object", "properties" : { "enableIdpProxy" : { "attributeKey" : "enableIDPProxy", "title" : "IDP Proxy enabled", "description" : "Enable IDP Proxy if not enabled", "type" : "boolean" }, "alwaysIdpProxy" : { "attributeKey" : "alwaysIdpProxy", "title" : "Proxy all requests", "description" : "When this option is enabled, the IdP will proxy every single authentication request no matter it contains the Scoping element or not.", "type" : "boolean" }, "useIntroductionForIdpProxy" : { "attributeKey" : "useIntroductionForIDPProxy", "title" : "Introduction enabled", "type" : "boolean" }, "useIDPFinder" : { "attributeKey" : "useIDPFinder", "title" : "Use IDP Finder", "type" : "boolean" }, "idpProxyCount" : { "attributeKey" : "idpProxyCount", "title" : "Proxy Count", "description" : "Number of IDP proxies that the SP can have", "type" : "integer", "default" : 0 }, "idpProxyList" : { "attributeKey" : "idpProxyList", "description" : "A list of preferred IDPs that the SP would proxy to", "title" : "IDP Proxy List", "type" : "array", "items" : { "type" : "string" } } } } } } } } }, "required" : [ "entityId" ], "$id" : "https://www.forgerock.com/remoteSaml2EntityProvider.schema.json" }