SamlIdPEndpoint

SAML identity provider endpoint configuration allows to create and edit configuration settings for SAML IdP federation endpoints.

Description

Description of the configuration object

Context path

The context path of the web application. If not specified, the context path is set to the default 'unknown' value.

Do exclude from authorization

Whether or not the web application shall be excluded from authorization process defined by the DirX Access PEP.

Port assignment identifiers

Identifiers of the port assignments for the web application. Port assignments specify the HTTP(S) ports on which the web application will listen.

Primary port assignment identifier

Identifier of the primary port assignment for given web application. It can be used for calculation of the FEP location, if location is not specified.

CORS parameters

Additional CORS parameters to those already generated from the existing endpoint configuration. CORS parameters are used to filter CORS requests.

Allowed origins

Origins allowed in the Origin header when filtering CORS requests. This parameter has to be combined with 'allowedMethods' and 'allowedHeaders'. According to the CORS specification, the Origin header can contain the string null. It is possible to include this string in this configuration property with following meaning:

without null included - Origin header null leads to response FORBIDDEN,
with null included - Origin header null leads to request being further processed,
* enables also the null string.

Allowed methods

HTTP request methods which the CORS filter will accept. Set GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH to allow any HTTP request method.

Allowed headers

HTTP request headers which the CORS filter will accept. Set * to allow any HTTP request header.

Signature validation

The signature validation policy. Currently recognized values are:

disabled - no validation is performed;
optional - if the signature is present, it is validated and it must pass the validation check;
required - the signature must be present and it must pass the validation check.
Allowed Values:
- disabled
- optional
- required

Do perform certificate path validation

Whether or not certificate path validation according to RFC 3280 and RFC 5280 is enabled or disabled. When the validation is disabled, the complete certificate path is still built until the trust anchor certificate and the certificate signatures are validated for all certificates in the path. As a result, the successfully validated certificate can be assumed to be trusted.

Do trim certificate paths

Whether or not trusted CA certificates are trimmed from certificates' chains of end user and CA certificates before the certificate validation.

Certificate revocation check

The certificate revocation check policy. Currently recognized values are none, CRL, OCSP and CRL with OCSP.

Allowed Values:
- nocheck
- crlcheck
- ocspcheck
- bothcheck

FEP keystore

The holder holding key store configuration of the FEP.

Keystore identifier

The identifier of the keystore used for cryptography purposes. It can be selected from items already configured.

Keystore password

The password of the keystore object.

Signing key alias

The alias of the key entry contained in the keystore which will be used for signing purposes. The alias is selected from the keystore’s key entry aliases.

Signing key password

The signing key entry password.

Signature method

XML signature method. The method is used for SAML protocol messages, SAML assertions, and SAML metadata.

Decryption key alias

The alias of the key entry contained in the keystore which will be used for decrypting purposes. The alias is selected from the keystore’s key entry aliases.

Decryption key password

The decrypting key entry password.

Signature validation certificate aliases

The aliases of the certificates contained in the keystore which will be used for signature validation purposes of the peer side. The related certificates come to the metadata of this FEP endpoint.

Encryption certificate aliases

The aliases of the certificates contained in the FEP keystore which will be used for encryption purposes on the peer side. The related certificates come to the metadata of this FEP endpoint.

Entity identifier

Input for the metadata of this endpoint. If no value is provided, the value 'unknown' is used by default.

Organization name

Input for the metadata of this endpoint.

Organization display name

Input for the metadata of this endpoint.

Organization URL

Input for the metadata of this endpoint.

SAML version URI

The version of the SAML protocol in use with this SAML FEP.

Do sign (outgoing) SAML request messages

Whether or not outgoing SAML request messages should be signed.

Do sign (outgoing) SAML response messages

Whether or not outgoing SAML response messages should be signed.

Do encrypt SAML NameID elements in (outgoing) messages

Whether or not outgoing SAML name identifier elements in outgoing response messages should be encrypted.

Do imprint certificates

Whether or not certificates should be included in KeyInfo elements when signing or encrypting XML elements.

Do want (incoming) SAML request messages signed

Whether or not incoming SAML request messages should be signed.

Do want (incoming) SAML response messages signed

Whether or not incoming SAML response messages should be signed.

Request timeout

The SAML request timeout.

Response timeout

The SAML response timeout.

Artifact timeout

The SAML artifact timeout.

Time difference tolerance

The accepted time difference tolerance between the IdP and SP machine clocks.

Session validation interval

The SSO session validation interval.

Do allow override

Whether or not HTTP request-specific properties may override configuration settings (for the particular request).

Do avoid quotation marks in common domain cookie value

Whether or not quotation marks in common domain cookies are to be avoided. When unchecked, common domain cookies are set through HttpServletRequest.addCookie and may result in quoted strings where the quotation marks are added by the Servlet container depending on the characters in the value. When checked, common domain cookies are set through HTTP headers (HttpServletRequest.addHeader).

Metadata update interval

The interval at which metadata with a configured URL are periodically reloaded. Set to zero or negative number to disable this feature. If a metadata URL is accessed via TLS, the DirX Access Services container JRE keystore is used for the purposes of certificate path validation.

Peer SAML metadata identifiers

The identifiers for the peer SAML metadata objects.

PEP identifier (required for SAML SSO use case)

The identifier of the Web PEP configuration object in use with the SAML FEP for SAML Web SSO use cases.

Key Encryption Algorithm

Defines the algorithm used to encrypt the symmetric key. This only applies if encryption is enabled. This option is used in encrypting of NameId (SP and IdP), assertions (IdP) or attribute statements (IdP).

RSA1_5 - Uses RSA PKCS#1 v1.5 padding for key encryption.
RSA_OAEP - Uses RSA Optimal Asymmetric Encryption Padding (OAEP) for improved security.
RSA_OAEP_11 - Uses RSA OAEP with stronger hash function.
Allowed Values:
- RSA1_5
- RSA_OAEP
- RSA_OAEP_11

Key Placement

Determines where the encrypted key is placed within the SAML response. This option only applies if encryption is enabled. This option is effective during encryption of NameId (SP and IdP), assertions (IdP) or attribute statements(IdP).

INLINE - The encrypted key is embedded inside the element.
PEER - The encrypted key is placed in a separate element outside the .
Allowed Values:
- PEER
- INLINE

Encryption Algorithm

Specifies the symmetric encryption algorithm used to secure the SAML assertion, if encryption is enabled. This option applies to encryption of NameId (SP and IdP), assertions (IdP), or attribute statements (IdP).

AES_128_CBC - Uses AES encryption with a 128-bit key in Cipher Block Chaining (CBC) mode.
AES_192_CBC - Uses AES encryption with a 192-bit key in CBC mode.
AES_256_CBC - Uses AES encryption with a 256-bit key in CBC mode.
AES_128_GCM - Uses AES encryption with a 128-bit key in Galois/Counter Mode (GCM), providing authenticated encryption with improved security over CBC.
AES_192_GCM - Uses AES encryption with a 192-bit key in GCM mode.
AES_256_GCM - Uses AES encryption with a 256-bit key in GCM mode.
Allowed Values:
- AES_128_CBC
- AES_192_CBC
- AES_256_CBC
- AES_128_GCM
- AES_192_GCM
- AES_256_GCM

IDP SSO descriptor services

The selection of services to be published in the metadata of this endpoint.

Authentication authority descriptor services

The selection of services to be published in the metadata of this endpoint.

PDP descriptor services

The selection of services to be published in the metadata of this endpoint.

Attribute authority descriptor services

The selection of services to be published in the metadata of this endpoint.

Do encrypt SAML assertions

Whether or not SAML assertions should be encrypted (applicable to SAML 'SingleSignOnService').

Do allow initial authentication

Whether or not the SAML Proxying IdP endpoint can perform initial user authentication when the requirement for SAML proxying is not specified in the incoming 'AuthnRequest' (applicable to the SAML 'SingleSignOnService').

SAML assertion construction template identifiers (SingleSignOnService)

The identifiers of the SAML assertion construction templates (required for SAML 'SingleSignOnService').

User consent callout handler identifier

The identifier of the user consent callout handler for the SAML 'SingleSignOnService'.

Do encrypt SAML assertions with AttributeService

Whether or not SAML assertion elements should be encrypted (for the SAML 'AttributeService').

SAML assertion construction template identifiers (AttributeService)

The identifiers of the SAML assertion construction templates (required for the SAML 'AttributeService').

PEP identifier

The identifier of the PEP for the SAML 'AuthzDecisionService' and 'XACMLAuthzService' (required for SAML 'AuthzDecisionService' and 'XACMLAuthzService').