Identity Cloud

Reference

This reference covers the configuration settings for identity providers (IDPs), service providers (SPs), and circles of trust.

Hosted identity provider

To edit hosted IDP settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > Federation > Entity Providers > Provider Name.

Assertion Content tab

Signing and Encryption

Request/Response Signing

The parts of messages the IDP requires the SP to sign digitally.

Encryption

When NameID Encryption is selected, the SP must encrypt name identifier (NameID) elements.

Secret ID and Algorithms
Secret ID Identifier

By default, Identity Cloud uses the entity provider’s role-specific, default global secret IDs. Alternatively, set an identifier for the secret ID Identity Cloud uses for this entity provider when resolving secrets. For example, when you set this to demo, the entity provider uses the following secret IDs:

  • am.applications.federation.entity.providers.saml2.demo.signing

  • am.applications.federation.entity.providers.saml2.demo.encryption

Signing Algorithm

The algorithms the provider uses to sign the request and response attributes selected in the Request/Response Signing group.

The provider’s metadata extension lists these algorithms.

This property has no default.

Digest Algorithm

The digest algorithms the provider uses to sign the requests and responses selected in the Request/Response Signing group.

The provider’s metadata extension lists these algorithms.

This property has no default.

Encryption Algorithm

There are two types of encryption algorithms for the provider:

  • Symmetric algorithms; the provider uses these to encrypt the objects selected in the Encryption group. Select one or more AES algorithms from the drop-down list.

    Default: http://www.w3.org/2001/04/xmlenc#aes128-cbc

  • Asymmetric algorithms; the provider advertises this as the transport key algorithm. When SAML 2.0 token encryption is enabled, hosted providers should use the algorithm the remote provider advertises to encrypt symmetric encryption keys.

    Select one or more algorithms from the drop-down list:

    • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p (default)

    • http://www.w3.org/2009/xmlenc11#rsa-oaep

      For this algorithm, Identity Cloud uses http://www.w3.org/2009/xmlenc11#mgf1sha256 to create the transport key.

    • http://www.w3.org/2001/04/xmlenc#rsa-1_5

      For security reasons, do not use this option.

NameID Format

NameID Format List

Supported NameIDs for users shared between providers for single sign-on (SSO).

The following diagram shows how the hosted IDP determines which NameID format to use:

How the hosted IDP decides which NameID formats to use
NameID Value Map

Map of NameID formats to user profile attributes. You do not need to map the persistent and transient NameIDs.

NameID mapping supports Base64-encoded binary values. When Binary is enabled, Identity Cloud Base64-encodes the profile attribute it adds to the assertion.

Authentication Context

Mapper

A class implementing the IDPAuthnContextMapper interface to set up the authentication context.

Do not edit this field.

Default: com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper

Authentication Context

The supported authentication context classes and any authentication mechanisms Identity Cloud uses when an SP specifies the class in a SAML 2.0 authentication request. For details, refer to Authentication Context for the OASIS Security Assertion Markup Language (SAML) v2.0.

Default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  • The Predefined Reference specifies the list of context references.

  • The Key specifies the authentication mechanism Identity Cloud uses when an SP specifies the class in a SAML 2.0 authentication request:

    Service

    Set the Value to the authentication journey to use.

    Module

    Not supported.

    User

    Not supported.

    Role

    Not supported.

    Authentication Level

    Identity Cloud uses a method where the authentication level is greater than or equal to the Value. Match the Value field with the Level field to avoid requiring users to re-authenticate unnecessarily.

    If more than one suitable method exists, Identity Cloud presents the available options with a ChoiceCallback.

  • The Value depends on the Key.

  • The Level specifies precedence for supported context reference classes.

    Higher numbers are stronger than lower numbers.

Assertion Time

Not-Before Time Skew

Grace period in seconds for the NotBefore time in assertions.

Effective Time

Assertion validity in seconds.

Basic Authentication

Enabled, User Name, Password

When enabled, authenticate with the specified credentials at SOAP endpoints.

Assertion Cache

Enabled

When enabled, cache assertions.

Assertion Processing tab

Attribute Mapper

Extension point to map the IDP attributes included in the SAML assertion.

Attribute Mapper

The Java class for the default implementation, which retrieves attributes from the user profile. If the attributes are not present in the profile, retrieve attributes from the user session.

Do not edit this field. It is not used if Attribute Mapper Script is set.

Default: com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper

Attribute Mapper Script

A JavaScript implementation of an attribute mapper.

Select a Saml2 IDP Attribute Mapper script from this realm.

For an example, refer to saml2-idp-attribute-mapper.js.

Attribute Map

Maps SAML attributes to user profile attributes or session properties.

The default implementation also supports static values. Enclose the profile attribute name in double quotes ("):

The static value is enclosed in double quotes.

Account Mapper

Account Mapper

The Java class for the default implementation to map remote users to local user profiles.

Disable NameID Persistence

By default, Identity Cloud stores NameIDs the IDP issues when the NameID format is persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). When you set this, Identity Cloud no longer stores persistent NameIDs.

Only enable this setting after configuring a NameID Value Mapping for persistent NameIDs; otherwise, the ManageNameID and the NameIDMapping SAML profiles no longer work with persistent NameIDs.

Identity Cloud does not remove existing, stored account links when you enable this setting.

Local Configuration

Auth URL

If set, overrides the default UI login URL to authenticate users during federation.

Use this setting, for example, if you have created a custom UI for federation.

The application exposing the URL must authenticate federated users, establish their sessions, and return SSO tokens in the tenant session cookies.

Identity Cloud must accept the cookie for the domain of the URL. If Identity Cloud uses host cookies, the FQDN of the URL must match your tenant’s FQDN.

Identity Cloud redirects users to the URL, appending a goto parameter. The parameter contains the URL to redirect to after authentication. The application must not override the goto parameter, as changing it causes federation to fail. For details, refer to Success and failure redirection URLs.

Reverse Proxy URL

The URL of the reverse proxy for SAML endpoints if one exists.

External Application Logout URL

The URL to send an HTTP POST with all cookies when receiving a logout request. Add a user session property by including it as a query string parameter named appsessionproperty.

Services tab

MetaAlias

Read-only alias to locate the provider’s entity identifier, specified as /realm-name/provider-name; for example: /alpha/myIDP.

IDP Service Attributes

Artifact Resolution Service

The endpoint to manage artifact resolution.

Single Logout Service

The endpoints to manage single logout (SLO) depending on the SAML binding.

Manage NameID Service

The endpoints to manage NameIDs depending on the SAML binding.

Single SignOn Service

The endpoints to manage SSO.

These endpoints are used only for SP-initiated flows but are included as a requirement of the SAML V 2.0 Metadata specification.

NameID Mapping

The endpoint to manage NameID mapping.

Assertion ID Request Service

The endpoints to request a specific assertion by assertion ID.

Advanced tab

SAE Configuration

IDP URL

The endpoint to manage Secure Attribute Exchange (SAE) requests.

Application Security Configuration

Encryption settings for SAE.

ECP Configuration

IDP Session Mapper

A Java class to find a valid session in an HTTP servlet request to an IDP with a SAML Enhanced Client or Proxy (ECP) profile.

Do not edit this field.

Session Synchronization

Enabled

When enabled, the IDP sends backchannel SOAP logout requests to all SPs when a session times out. A session can time out after the maximum idle time or maximum session time, for example.

IDP Finder Implementation

IDP Finder Implementation Class

A Java class to find the preferred IDP for a proxied authentication request.

IDP Finder JSP

A JSP to present the list of IDPs to the user.

Enable Proxy IDP Finder For All SPs

When enabled, Identity Cloud applies the finder for all remote SPs.

Relay State URL List

Relay State URL List

List of accepted RelayState URLs.

Identity Cloud validates the RelayState redirection URLs against this list during SLO. Identity Cloud only allows redirection to RelayState URLs in this list or matching the tenant domain; otherwise, a browser error occurs.

This setting does not apply to IDP-initiated SSO as the SP validates the RelayState URL.

Use the pattern matching rules in Success and failure redirection URLs to specify URLs.

IDP Adapter

IDP Adapter Class

A Java class Identity Cloud invokes immediately before sending a SAML 2.0 response.

IDP Adapter Script

A JavaScript implementation of an IDP adapter.

Select a Saml2 IDP Adapter script from this realm.

For an example, refer to saml2-idp-adapter.js.

Remote identity provider

To edit remote IDP settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > Federation > Entity Providers > Provider Name.

Assertion Content tab

Signing and Encryption

Request/Response Signing

The parts of messages the IDP requires the SP to sign digitally.

Encryption

When selected, the SP must encrypt NameID elements.

NameID Format

NameID Format List

Supported NameIDs for users shared between providers for single sign-on (SSO).

Basic Authentication

Enabled, User Name, Password

When enabled, authenticate with the specified credentials at SOAP endpoints.

Services tab

IDP Service Attributes

Artifact Resolution Service

The endpoint to manage artifact resolution.

Single Logout Service

The endpoints to manage SLO depending on the SAML binding.

These endpoints are used only for SP-initiated flows but are included as a requirement of the SAML V 2.0 Metadata specification.

Manage NameID Service

The endpoints to manage NameIDs depending on the SAML binding.

Single SignOn Service

The endpoints to manage SSO.

NameID Mapping

URL

The endpoint to manage NameID mapping.

Hosted service provider

To edit hosted SP settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > Federation > Entity Providers > Provider Name.

Assertion Content tab

Signing and Encryption

Request/Response Signing

The parts of messages the SP requires the IDP to sign digitally.

Encryption

When selected, the IDP must encrypt the selected elements.

Secret ID and Algorithms
Secret ID Identifier

By default, Identity Cloud uses the entity provider’s role-specific, default global secret IDs. Alternatively, set an identifier for the secret ID Identity Cloud uses for this entity provider when resolving secrets. For example, when you set this to demo, the entity provider uses the following secret IDs:

  • am.applications.federation.entity.providers.saml2.demo.signing

  • am.applications.federation.entity.providers.saml2.demo.encryption

Signing Algorithm

The algorithms the provider uses to sign the request and response attributes selected in the Request/Response Signing group.

The provider’s metadata extension lists these algorithms.

This property has no default.

Digest Algorithm

The digest algorithms the provider uses to sign the requests and responses selected in the Request/Response Signing group.

The provider’s metadata extension lists these algorithms.

This property has no default.

Encryption Algorithm

There are two types of encryption algorithms for the provider:

  • Symmetric algorithms; the provider uses these to encrypt the objects selected in the Encryption group. Select one or more AES algorithms from the drop-down list.

    Default: http://www.w3.org/2001/04/xmlenc#aes128-cbc

  • Asymmetric algorithms; the provider advertises this as the transport key algorithm. When SAML 2.0 token encryption is enabled, hosted providers should use the algorithm the remote provider advertises to encrypt symmetric encryption keys.

    Select one or more algorithms from the drop-down list:

    • http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p (default)

    • http://www.w3.org/2009/xmlenc11#rsa-oaep

      For this algorithm, Identity Cloud uses http://www.w3.org/2009/xmlenc11#mgf1sha256 to create the transport key.

    • http://www.w3.org/2001/04/xmlenc#rsa-1_5

      For security reasons, do not use this option.

NameID Format

NameID Format List

Supported NameIDs for users shared between providers for SSO.

The following diagram shows how the hosted SP determines which NameID format to use:

How the hosted SP decides which NameID formats to use
Disable NameID Persistence

By default, Identity Cloud stores NameIDs the IDP issues when the NameID format is persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) and the account manager matched a local user to the assertion. When you set this, Identity Cloud no longer stores persistent NameIDs.

When you enable this setting, end users must authenticate locally for each SAML login.

Authentication Context

Mapper

A class implementing the SPAuthnContextMapper interface to set up the authentication context.

Do not edit this field.

Default: com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper

Authentication Context

The supported authentication context classes and any authentication mechanisms Identity Cloud uses when an IDP specifies the class in a SAML 2.0 authentication request. For details, refer to Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0.

Default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

  • The Predefined Reference specifies the list of context references.

  • The Key specifies the authentication mechanism Identity Cloud uses when an IDP specifies the class in a SAML 2.0 authentication request:

    Service

    Set the Value to the authentication journey to use.

    Module

    Not supported.

    User

    Not supported.

    Role

    Not supported.

    Authentication Level

    Identity Cloud uses a method where the authentication level is greater than or equal to the Value. Match the Value field with the Level field to avoid requiring users to re-authenticate unnecessarily.

    If more than one suitable method exists, Identity Cloud presents the available options with a ChoiceCallback.

  • The Value depends on the Key.

  • The Level specifies precedence for supported context reference classes.

    Higher numbers are stronger than lower numbers.

Comparison Type

Sets the range of authentication mechanisms the IDP can choose.

For example, when this is set to Better and PasswordProtectedTransport is the default authentication context class, the IDP must select an authentication mechanism with a higher level assigned.

Default: Exact

Include Request Authentication Context

When enabled, include the authentication context class as the requested authentication context in the SAML 2.0 authentication request.

Default: Enabled

Assertion Time

Assertion Time Skew

Grace period in seconds for the NotBefore time in assertions.

Basic Authentication

Enabled, User Name, Password

When enabled, authenticate with the specified credentials at SOAP endpoints.

Assertion Processing tab

Attribute Mapper

Extension point to map the SP attributes included in the SAML assertion.

Attribute Mapper

The Java class for the default implementation, which sets attributes in the user profile or properties in the session.

Do not edit this field.

Default: com.sun.identity.saml2.plugins.DefaultSPAttributeMapper

Attribute Map

Maps SAML attributes to user profile attributes or session properties.

The Key is a SAML attribute from the assertion. The Value is the profile attribute or session property.

By default, the SP maps SAML attributes to session properties with the same names. When the SP creates a profile during auto-federation, the SP maps SAML attributes to the new user profile.

The special mapping Key: *, Value: * maps each attribute in the assertion to a session property or profile attribute with the same name. For example, if the SP receives mail and givenName in the assertion, it maps them to mail and givenName.

Remove the special mapping and add key pairs to the map if:

  • (Auto-federation) The attributes in the IDP’s and the SP’s identity stores do not match.

  • You need control over the names of the session properties.

  • You need control over the attributes to map because the IDP adds too many to the assertion.

Auto Federation

Enabled

When enabled, automatically federate the user’s accounts at different providers based on the specified SAML attribute.

Attribute

The SAML attribute to match accounts at different providers.

Account Mapper

Account Mapper

The Java class for the default implementation to map remote users to local user profiles.

Use Name ID as User ID

When selected, fall back to the NameID from the assertion to find the user.

Transient User

When set, map all transient users from the IDP to this profile.

Artifact Message Encoding

Artifact Message Encoding

The message encoding format for artifacts.

URL

Local Authentication URL

If set, overrides the default redirect URL to use after validating the SAML 2.0 assertion from the IDP.

Use this setting, for example, if you have created a custom UI for federation.

In integrated mode, Identity Cloud appends query string parameters to this URL. The parameters contain details to let Identity Cloud continue the authentication journey.

In standalone mode, Identity Cloud redirects users to the specified URL and appends a goto parameter, identifying the next redirect URL for the user.

Intermediate URL

A URL to redirect the user to after authentication but before the original URL requested.

External Application Logout URL

The URL to send an HTTP POST with all cookies when receiving a logout request. Add a user session property by including it as a query string parameter named appsessionproperty.

Default Relay State URL

Default Relay State URL

The URL to redirect users to after completing the request. Identity Cloud uses this if the response does not specify the RelayState.

Adapter

Adapter

A Java class to perform application-specific processing during the federation process.

Adapter Environment

Environment variables Identity Cloud passes to the adapter class.

Services tab

MetaAlias

Read-only alias to locate the provider’s entity identifier, specified as /realm-name/provider-name; for example: /alpha/mySP.

SP Service Attributes

Single Logout Service

The endpoints to manage SLO depending on the SAML binding.

Manage NameID Service

The endpoints to manage NameIDs depending on the SAML binding.

Assertion Consumer Service

The endpoints to consume assertions, where the order corresponds to the index of the URL in the standard metadata.

The scheme, FQDN, and port configured must exactly match the SPs settings in its metadata.

If the base URL service is configured, Identity Cloud uses it to determine the SP’s endpoint URL.

If the URL does not match, the SAML 2.0 flow fails and Identity Cloud logs an Invalid Assertion Consumer Location specified message.

Advanced tab

SAE Configuration

SP URL

The endpoint to manage SAE requests.

SP Logout URL

The SP endpoint to process global logout requests.

Application Security Configuration

Encryption settings for SAE.

ECP Configuration

Request IDP List Finder Implementation

A Java class to return a list of preferred IDPs trusted for the SAML ECP profile.

Default: com.sun.identity.saml2.plugins.ECPIDPFinder

Request IDP List Get Complete

A URI reference to retrieve the complete list of IDPs if the IDPList element is not complete.

Request IDP List

A list of IDPs for the ECP client or proxy to contact. The default finder implementation uses this.

IDP Proxy

IDP Proxy

When enabled, Identity Cloud adds a Scoping element to the authentication request for proxying.

Introduction

When enabled, use introductions to find the proxy IDP.

Proxy Count

The maximum number of proxy identity providers.

IDP Proxy List

A list of URIs for preferred proxy IDPs.

Session Synchronization

Enabled

When enabled, the SP sends backchannel SOAP logout requests to all IDPs when a session times out. A session can time out after the maximum idle time or maximum session time, for example.

Relay State URL List

Relay State URL List

List of accepted RelayState URLs.

Identity Cloud validates the RelayState redirection URLs against this list during SLO. Identity Cloud only allows redirection to RelayState URLs in this list or matching the tenant domain; otherwise, a browser error occurs.

Use the pattern matching rules in Success and failure redirection URLs to specify URLs.

Remote service provider

To edit remote SP settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > Federation > Entity Providers > Provider Name.

Assertion Content tab

Signing and Encryption

Request/Response Signing

The parts of messages the SP requires the IDP to sign digitally.

Encryption

When selected, the IDP must encrypt the selected elements.

NameID Format

NameID Format List

Supported NameIDs for users shared between providers for SSO.

Disable NameID Persistence

When enabled, do not store NameIDs at the IDP when generating an assertion for this remote SP.

Default value: false

Basic Authentication

Enabled, User Name, Password

When enabled, authenticate with the specified credentials at SOAP endpoints.

Assertion Processing tab

Attribute Mapper

Attribute Map

Override mappings from assertion attributes to user profile attributes at the IDP.

Artifact Message Encoding

Encoding

The message encoding format for artifacts.

Services tab

SP Service Attributes

Single Logout Service

The endpoints to manage SLO depending on the SAML binding.

Manage NameID Service

The endpoints to manage NameIDs depending on the SAML binding.

Assertion Consumer Service

The endpoints to consume assertions, where the order corresponds to the index of the URL in the standard metadata.

Advanced tab

Request Processing

Skip Endpoint Validation For Signed Requests

When enabled, Identity Cloud does not verify assertion consumer service (ACS) URLs in SAML authentication requests. The ACS URL can contain dynamic query parameters, for example.

The SAML 2.0 specification requires ACS URL verification. When you enable this, the SP must digitally sign the authentication request; in Assertion Content > Signing and Encryption > Request/Response Signing, enable Authentication Requests Signed. If Identity Cloud receives an unsigned authentication request, it returns an error.

SAE Configuration

SP URL

The endpoint to manage SAE requests.

SP Logout URL

The SP endpoint to process global logout requests.

IDP Proxy

IDP Proxy enabled

When enabled, authentication requests from the SP can be proxied.

Proxy all requests

When enabled, Identity Cloud proxies every authentication request from the SP, even if the Scoping element is missing.

Set IDP Proxy enabled for this setting to take effect.

Introduction enabled

When enabled, use introductions to find the proxy IDP.

This property requires a non-default SAML2IDPProxyFRImpl implementation.

Use IDP Finder

When enabled, Identity Cloud uses the IDP finder service to determine the proxy IDP.

Proxy Count

The maximum number of proxy identity providers. Identity Cloud sets the specified value in the Scoping element of proxied authentication requests.

Enable Proxy all requests for this setting to take effect.

IDP Proxy List

A list of URIs for preferred proxy IDPs.

Circle of trust

To edit circle of trust settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > Federation > Circle of Trust > Circle of Trust Name.

Name

String to refer to the circle of trust.

You can’t change its Name after creation.

Description

Short description for the circle of trust.

Status

Whether this circle of trust is operational.

Entity Providers

Known hosted and remote IDPs and SPs participating in this circle of trust.

SAML2 Writer Service URL

SAML 2.0 service to write IDP entity identifiers to common domain cookies after successful authentication for IDP discovery; for example: https://[.var]##<tenant-env-fqdn>##/am/saml2writer.

SAML2 Reader Service URL

SAML 2.0 service to read ID entity identifiers from common domain cookies for IDP discovery; for example: https://[.var]##<tenant-env-fqdn>##/am/saml2reader.

Copyright © 2010-2024 ForgeRock, all rights reserved.