This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

SAML Web SSO 2.0 Authentication (samlWebSso20)

Controls the operation of the Security Assertion Markup Language Web SSO 2.0 Mechanism.

Attribute name Data type Default value Description
allowCreate boolean   Allow the IdP to create a new account if the requesting user does not have one.
allowCustomCacheKey boolean true Allow generating a custom cache key to access the authentication cache and get the subject.
authFilterRef A reference to top level authFilter element (string).   Specifies the authentication filter reference.
authnContextComparisonType
  • minimum
  • better
  • maximum
  • exact
exact When an authnContextClassRef is specified, the authnContextComparisonType can be set.
minimum
Minimum. The authentication context in the authentication statement must be at least as strong as one of the authentication contexts specified.
better
Better. The authentication context in the authentication statement must be stronger than any one of the authentication contexts specified.
maximum
Maximum. The authentication context in the authentication statement must be as strong as possibe without exceeding the strength of at least one of the authentication contexts specified.
exact
Exact. The authentication context in the authentication statement must be an exact match of at least one of the authentication contexts specified.
authnRequestTime A period of time with millisecond precision 10m Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
authnRequestsSigned boolean true Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed.
clockSkew A period of time with millisecond precision 5m This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
createSession boolean true Specifies whether to create an HttpSession if the current HttpSession does not exist.
customizeNameIDFormat string   Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification.
disableLtpaCookie boolean true Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead.
enabled boolean true The service provider is enabled if true and disabled if false.
errorPageURL string   Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO.
forceAuthn boolean false Indicates whether the IdP should force the user to re-authenticate.
groupIdentifier string   Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value.
httpsRequired boolean true Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata.
id string   A unique configuration ID.
idpMetadata string ${server.config.dir}/resources/security/idpMetadata.xml Specifies the IdP metadata file.
inboundPropagation
  • none
  • required
none Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms.
none
%inboundPropagation.none
required
%inboundPropagation.required
includeTokenInSubject boolean true Specifies whether to include a SAML assertion in the subject.
includeX509InSPMetadata boolean true Specifies whether to include the x509 certificate in the Liberty SP metadata.
isPassive boolean false Indicates IdP must not take control of the end user interface.
keyAlias string   Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'.
keyStoreRef A reference to top level keyStore element (string).   A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default.
loginPageURL string   Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO.
mapToUserRegistry
  • User
  • No
  • Group
No Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
User
Map a SAML identity to a user defined in the registry
No
Do not map a SAML identity to a user or group in the registry
Group
Map a SAML identity to a group defined in the user registry
nameIDFormat
  • encrypted
  • customize
  • persistent
  • x509SubjectName
  • email
  • transient
  • entity
  • unspecified
  • kerberos
  • windowsDomainQualifiedName
email Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification.
encrypted
urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted
customize
Customized Name ID Format.
persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
x509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
email
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
transient
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
entity
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
windowsDomainQualifiedName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
reAuthnCushion A period of time with millisecond precision 0m The time period to authenticate again when a SAML Assertion is about to expire, which is indicated by either the statement NotOnOrAfter or the attribute SessionNotOnOrAfter of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
reAuthnOnAssertionExpire boolean false Authenticate the incoming HTTP request again when a SAML Assertion is about to expire.
realmIdentifier string   Specifies a SAML attribute that is used as the realm name. If no value is specified, the Issuer SAML assertion element value is used.
realmName string   Specifies a realm name when mapToUserRegistry is set to No or Group.
sessionNotOnOrAfter A period of time with millisecond precision 120m Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
signatureMethodAlgorithm
  • SHA256
  • SHA128
  • SHA1
SHA256 Indicates the required algorithm by this service provider.
SHA256
SHA-256 signature algorithm
SHA128
%signatureMethodAlgorithm.SHA128
SHA1
SHA-1 signature algorithm
spHostAndPort string   Specifies a SAML service provider host name and port number.
targetPageUrl string   The default landing page for the IdP-initiated SSO if the relayState is missing.
tokenReplayTimeout A period of time with millisecond precision 30m This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
userIdentifier string   Specifies a SAML attribute that is used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used.
userUniqueIdentifier string   Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value.
wantAssertionsSigned boolean true Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.
audiences
Description: The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.
Required: false
Data type: string
authFilter
Description: Specifies the authentication filter reference.
Required: false
Data type:
authFilter > host
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
matchType
  • equals
  • contains
  • notContain
contains Specifies the match type.
equals
Equals
contains
Contains
notContain
Not contain
name string   Specifies the name.
authFilter > remoteAddress
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
ip string   Specifies the IP address.
matchType
  • lessThan
  • equals
  • greaterThan
  • contains
  • notContain
contains Specifies the match type.
lessThan
Less than
equals
Equals
greaterThan
Greater than
contains
Contains
notContain
Not contain
authFilter > requestUrl
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
matchType
  • equals
  • contains
  • notContain
contains Specifies the match type.
equals
Equals
contains
Contains
notContain
Not contain
urlPattern string   Specifies the URL pattern.
authFilter > userAgent
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
agent string   Specifies the user agent
id string   A unique configuration ID.
matchType
  • equals
  • contains
  • notContain
contains Specifies the match type.
equals
Equals
contains
Contains
notContain
Not contain
authFilter > webApp
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
matchType
  • equals
  • contains
  • notContain
contains Specifies the match type.
equals
Equals
contains
Contains
notContain
Not contain
name string   Specifies the name.
authnContextClassRef
Description: A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.
Required: false
Data type: string
headerName
Description: The header name of the HTTP request which stores the SAML Token.
Required: false
Data type: string
pkixTrustEngine
Description: Specifies the PKIX trust information that is used to evaluate the trustworthiness and validity of XML signatures in a SAML response. Do not specify multiple pkixTrustEngine in a samlWebSso20.
Required: false
Data type:
Attribute name Data type Default value Description
trustAnchorRef A reference to top level keyStore element (string).   A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion.
pkixTrustEngine > crl
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
path string   Specifies the path to the crl.
pkixTrustEngine > trustedIssuers
Description: Specifies the identities of trusted IdP issuers. If the value is "ALL_ISSUERS", then all IdP identities are trusted.
Required: false
Data type: string
pkixTrustEngine > x509Certificate
Description: A unique configuration ID.
Required: false
Data type:
Attribute name Data type Default value Description
id string   A unique configuration ID.
path string   Specifies the path to the x509 certificate.

Icon that indicates the type of topic Reference topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=rwlp_config_samlWebSso20
File name: rwlp_config_samlWebSso20.html