This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.
SAML Web SSO 2.0 Authentication (samlWebSso20)
Controls the operation of the Security Assertion Markup Language Web SSO 2.0 Mechanism.
Attribute name | Data type | Default value | Description |
---|---|---|---|
allowCreate | boolean | Allow the IdP to create a new account if the requesting user does not have one. | |
allowCustomCacheKey | boolean | true | Allow generating a custom cache key to access the authentication cache and get the subject. |
authFilterRef | A reference to top level authFilter element (string). | Specifies the authentication filter reference. | |
authnContextComparisonType |
|
exact | When an authnContextClassRef is specified, the authnContextComparisonType can be set.
|
authnRequestTime | A period of time with millisecond precision | 10m | Specifies the life time period of an authnReuqest which is generated and sent from the service provider to an IdP for requesting a SAML Token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
authnRequestsSigned | boolean | true | Indicates whether the <samlp:AuthnRequest> messages sent by this service provider will be signed. |
clockSkew | A period of time with millisecond precision | 5m | This is used to specify the allowed clock skew in minutes when validating the SAML token. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
createSession | boolean | true | Specifies whether to create an HttpSession if the current HttpSession does not exist. |
customizeNameIDFormat | string | Specifies the customized URI reference corresponding to a name identifier format that is not defined in the SAML core specification. | |
disableLtpaCookie | boolean | true | Do not create an LTPA Token during processing of the SAML Assertion. Create a cookie of the specific Service Provider instead. |
enabled | boolean | true | The service provider is enabled if true and disabled if false. |
errorPageURL | string | Specifies an error page to be displayed if the SAML validation fails. If this attribute is not specified, and the received SAML is invalid, the user will be redirected back to the SAML IdP to restart SSO. | |
forceAuthn | boolean | false | Indicates whether the IdP should force the user to re-authenticate. |
groupIdentifier | string | Specifies a SAML attribute that is used as the name of the group that the authenticated principal is a member of. There is no default value. | |
httpsRequired | boolean | true | Enforce using SSL communication when accessing a SAML WebSSO service provider end point such as acs or metadata. |
id | string | A unique configuration ID. | |
idpMetadata | string | ${server.config.dir}/resources/security/idpMetadata.xml | Specifies the IdP metadata file. |
inboundPropagation |
|
none | Controls the operation of the Security Assertion Markup Language Web SSO 2.0 for the inbound propagation of the Web Services Mechanisms.
|
includeTokenInSubject | boolean | true | Specifies whether to include a SAML assertion in the subject. |
includeX509InSPMetadata | boolean | true | Specifies whether to include the x509 certificate in the Liberty SP metadata. |
isPassive | boolean | false | Indicates IdP must not take control of the end user interface. |
keyAlias | string | Key alias name to locate the private key for signing and decryption. This is optional if the keystore has exactly one key entry, or if it has one key with an alias of 'samlsp'. | |
keyStoreRef | A reference to top level keyStore element (string). | A keystore containing the private key for the signing of the AuthnRequest, and the decryption of EncryptedAssertion element. The default is the server's default. | |
loginPageURL | string | Specifies the SAML IdP login application URL to which an unauthenticated request is redirected. This attribute triggers IdP-initiated SSO, and it is only required for IdP-initiated SSO. | |
mapToUserRegistry |
|
No | Specifies how to map an identity to a registry user. The options are No, User, and Group. The default is No, and the user registry is not used to create the user subject.
|
nameIDFormat |
|
Specifies the URI reference corresponding to a name identifier format defined in the SAML core specification.
|
|
reAuthnCushion | A period of time with millisecond precision | 0m | The time period to authenticate again when a SAML Assertion is about to expire, which is indicated by either the statement NotOnOrAfter or the attribute SessionNotOnOrAfter of the SAML Assertion. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
reAuthnOnAssertionExpire | boolean | false | Authenticate the incoming HTTP request again when a SAML Assertion is about to expire. |
realmIdentifier | string | Specifies a SAML attribute that is used as the realm name. If no value is specified, the Issuer SAML assertion element value is used. | |
realmName | string | Specifies a realm name when mapToUserRegistry is set to No or Group. | |
sessionNotOnOrAfter | A period of time with millisecond precision | 120m | Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP. If the SAML token returned from the IdP does not contain a sessionNotOnOrAfter assertion, the value specified by this attribute is used. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
signatureMethodAlgorithm |
|
SHA256 | Indicates the required algorithm by this service provider.
|
spHostAndPort | string | Specifies a SAML service provider host name and port number. | |
targetPageUrl | string | The default landing page for the IdP-initiated SSO if the relayState is missing. | |
tokenReplayTimeout | A period of time with millisecond precision | 30m | This property is used to specify how long the Liberty SP should prevent token replay. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. You can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds. |
userIdentifier | string | Specifies a SAML attribute that is used as the user principal name in the subject. If no value is specified, the NameID SAML assertion element value is used. | |
userUniqueIdentifier | string | Specifies a SAML attribute that is used as the unique user name as it applies to the WSCredential in the subject. The default is the same as the userIdentifier attribute value. | |
wantAssertionsSigned | boolean | true | Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed. |
- audiences
Description: The list of audiences which are trusted to verify the audience of the SAML Token. If the value is "ANY", then all audiences are trusted.Required: falseData type: string
- authFilter
Description: Specifies the authentication filter reference.Required: falseData type: - authFilter > host
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
name string Specifies the name.
- authFilter > remoteAddress
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. ip string Specifies the IP address. matchType - lessThan
- equals
- greaterThan
- contains
- notContain
contains Specifies the match type. - lessThan
- Less than
- equals
- Equals
- greaterThan
- Greater than
- contains
- Contains
- notContain
- Not contain
- authFilter > requestUrl
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
urlPattern string Specifies the URL pattern.
- authFilter > userAgent
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description agent string Specifies the user agent id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
- authFilter > webApp
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. matchType - equals
- contains
- notContain
contains Specifies the match type. - equals
- Equals
- contains
- Contains
- notContain
- Not contain
name string Specifies the name.
- authnContextClassRef
Description: A URI reference identifying an authentication context class that describes the authentication context declaration. The default is null.Required: falseData type: string
- headerName
Description: The header name of the HTTP request which stores the SAML Token.Required: falseData type: string
- pkixTrustEngine
Description: Specifies the PKIX trust information that is used to evaluate the trustworthiness and validity of XML signatures in a SAML response. Do not specify multiple pkixTrustEngine in a samlWebSso20.Required: falseData type: Attribute name Data type Default value Description trustAnchorRef A reference to top level keyStore element (string). A keystore containing the public key necessary for verifying the signature of the SAMLResponse and Assertion. - pkixTrustEngine > crl
Description: A unique configuration ID.Required: falseData type: Attribute name Data type Default value Description id string A unique configuration ID. path string Specifies the path to the crl.