SamlSPEndpoint

SAML service provider endpoint configuration allows to create and edit configuration settings for SAML SP FEPs.

Description

Description of the configuration object

Context path

The context path of the web application. If not specified, the context path is set to the default 'unknown' value.

Do exclude from authorization

Whether or not the web application shall be excluded from authorization process defined by the DirX Access PEP.

Port assignment identifiers

Identifiers of the port assignments for the web application. Port assignments specify the HTTP(S) ports on which the web application will listen.

Primary port assignment identifier

Identifier of the primary port assignment for given web application. It can be used for calculation of the FEP location, if location is not specified.

CORS parameters

Additional CORS parameters to those already generated from the existing endpoint configuration. CORS parameters are used to filter CORS requests.

Allowed origins

Origins allowed in the Origin header when filtering CORS requests. This parameter has to be combined with 'allowedMethods' and 'allowedHeaders'. According to the CORS specification, the Origin header can contain the string null. It is possible to include this string in this configuration property with following meaning:

  • without null included - Origin header null leads to response FORBIDDEN,

  • with null included - Origin header null leads to request being further processed,

  • * enables also the null string.

Allowed methods

HTTP request methods which the CORS filter will accept. Set GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH to allow any HTTP request method.

Allowed headers

HTTP request headers which the CORS filter will accept. Set * to allow any HTTP request header.

Signature validation

The signature validation policy. Currently recognized values are:

  • disabled - no validation is performed;

  • optional - if the signature is present, it is validated and it must pass the validation check;

  • required - the signature must be present and it must pass the validation check.

  • Allowed Values:

    • disabled

    • optional

    • required

Do perform certificate path validation

Whether or not certificate path validation according to RFC 3280 and RFC 5280 is enabled or disabled. When the validation is disabled, the complete certificate path is still built until the trust anchor certificate and the certificate signatures are validated for all certificates in the path. As a result, the successfully validated certificate can be assumed to be trusted.

Do trim certificate paths

Whether or not trusted CA certificates are trimmed from certificates' chains of end user and CA certificates before the certificate validation.

Certificate revocation check

The certificate revocation check policy. Currently recognized values are none, CRL, OCSP and CRL with OCSP.

  • Allowed Values:

    • nocheck

    • crlcheck

    • ocspcheck

    • bothcheck

FEP keystore

The holder holding key store configuration of the FEP.

Keystore identifier

The identifier of the keystore used for cryptography purposes. It can be selected from items already configured.

Keystore password

The password of the keystore object.

Signing key alias

The alias of the key entry contained in the keystore which will be used for signing purposes. The alias is selected from the keystore’s key entry aliases.

Signing key password

The signing key entry password.

Signature method

XML signature method. The method is used for SAML protocol messages, SAML assertions, and SAML metadata.

Decryption key alias

The alias of the key entry contained in the keystore which will be used for decrypting purposes. The alias is selected from the keystore’s key entry aliases.

Decryption key password

The decrypting key entry password.

Signature validation certificate aliases

The aliases of the certificates contained in the keystore which will be used for signature validation purposes of the peer side. The related certificates come to the metadata of this FEP endpoint.

Encryption certificate aliases

The aliases of the certificates contained in the FEP keystore which will be used for encryption purposes on the peer side. The related certificates come to the metadata of this FEP endpoint.

Entity identifier

Input for the metadata of this endpoint. If no value is provided, the value 'unknown' is used by default.

Organization name

Input for the metadata of this endpoint.

Organization display name

Input for the metadata of this endpoint.

Organization URL

Input for the metadata of this endpoint.

SAML version URI

The version of the SAML protocol in use with this SAML FEP.

Do sign (outgoing) SAML request messages

Whether or not outgoing SAML request messages should be signed.

Do sign (outgoing) SAML response messages

Whether or not outgoing SAML response messages should be signed.

Do encrypt SAML NameID elements in (outgoing) messages

Whether or not outgoing SAML name identifier elements in outgoing response messages should be encrypted.

Do imprint certificates

Whether or not certificates should be included in KeyInfo elements when signing or encrypting XML elements.

Do want (incoming) SAML request messages signed

Whether or not incoming SAML request messages should be signed.

Do want (incoming) SAML response messages signed

Whether or not incoming SAML response messages should be signed.

Request timeout

The SAML request timeout.

Response timeout

The SAML response timeout.

Artifact timeout

The SAML artifact timeout.

Time difference tolerance

The accepted time difference tolerance between the IdP and SP machine clocks.

Session validation interval

The SSO session validation interval.

Do allow override

Whether or not HTTP request-specific properties may override configuration settings (for the particular request).

Do avoid quotation marks in common domain cookie value

Whether or not quotation marks in common domain cookies are to be avoided. When unchecked, common domain cookies are set through HttpServletRequest.addCookie and may result in quoted strings where the quotation marks are added by the Servlet container depending on the characters in the value. When checked, common domain cookies are set through HTTP headers (HttpServletRequest.addHeader).

Metadata update interval

The interval at which metadata with a configured URL are periodically reloaded. Set to zero or negative number to disable this feature. If a metadata URL is accessed via TLS, the DirX Access Services container JRE keystore is used for the purposes of certificate path validation.

Peer SAML metadata identifiers

The identifiers for the peer SAML metadata objects.

PEP identifier (required for SAML SSO use case)

The identifier of the Web PEP configuration object in use with the SAML FEP for SAML Web SSO use cases.

Key Encryption Algorithm

Defines the algorithm used to encrypt the symmetric key. This only applies if encryption is enabled. This option is used in encrypting of NameId (SP and IdP), assertions (IdP) or attribute statements (IdP).

  • RSA1_5 - Uses RSA PKCS#1 v1.5 padding for key encryption.

  • RSA_OAEP - Uses RSA Optimal Asymmetric Encryption Padding (OAEP) for improved security.

  • RSA_OAEP_11 - Uses RSA OAEP with stronger hash function.

  • Allowed Values:

    • RSA1_5

    • RSA_OAEP

    • RSA_OAEP_11

Key Placement

Determines where the encrypted key is placed within the SAML response. This option only applies if encryption is enabled. This option is effective during encryption of NameId (SP and IdP), assertions (IdP) or attribute statements(IdP).

  • INLINE - The encrypted key is embedded inside the element.

  • PEER - The encrypted key is placed in a separate element outside the .

  • Allowed Values:

    • PEER

    • INLINE

Encryption Algorithm

Specifies the symmetric encryption algorithm used to secure the SAML assertion, if encryption is enabled. This option applies to encryption of NameId (SP and IdP), assertions (IdP), or attribute statements (IdP).

  • AES_128_CBC - Uses AES encryption with a 128-bit key in Cipher Block Chaining (CBC) mode.

  • AES_192_CBC - Uses AES encryption with a 192-bit key in CBC mode.

  • AES_256_CBC - Uses AES encryption with a 256-bit key in CBC mode.

  • AES_128_GCM - Uses AES encryption with a 128-bit key in Galois/Counter Mode (GCM), providing authenticated encryption with improved security over CBC.

  • AES_192_GCM - Uses AES encryption with a 192-bit key in GCM mode.

  • AES_256_GCM - Uses AES encryption with a 256-bit key in GCM mode.

  • Allowed Values:

    • AES_128_CBC

    • AES_192_CBC

    • AES_256_CBC

    • AES_128_GCM

    • AES_192_GCM

    • AES_256_GCM

SP SSO descriptor services

The selection of services to be published in the metadata of this endpoint.

Session sync interval

The SSO session synchronization interval in seconds, ICTU-specific. The interval in which session sync messages are being sent to the IdP.

NameID format

The SAML name identifier format imprinted with SAML authentication requests (required for the SAML 'assertionConsumerService').

Do allow create NameID

Whether or not the SAML authentication requests should allow the creation of a SAML name identifier (required for the SAML 'assertionConsumerService').

Requested authentication context

The requested authentication context imprinted with SAML authentication requests (required for the SAML 'assertionConsumerService').

Do force authentication

Whether or not the SAML authentication requests should imprint the force authentication flag (required for the SAML 'assertionConsumerService').

Do imprint is passive flag

Whether or not the SAML authentication requests should imprint the 'is passive' flag (required for the SAML 'assertionConsumerService').

Default resource URL

The URL of the default resource (required for the SAML 'assertionConsumerService').

Do send assertion consumer index

Whether or not the XML attribute 'AssertionConsumerServiceIndex' is sent with SAML AuthnRequest protocol elements.

Extensions to be sent with authentication requests

The SAML extension child elements to be used in SAML AuthnRequest protocol elements. The currently recognized values are None and AttrRequest (for an attribute request; note that this capability exceeds the SAML 2.0 specification; that is, normal SAML 2.0 IdPs cannot be assumed to honor this feature).

  • Allowed Values:

    • None

    • AttrRequest

Classification of attribute requests in authentication request extensions

The classification of attribute requests as a part of SAML extension child elements in SAML AuthnRequest protocol elements. The currently recognized values are None and SuisseID (for the SuisseID national SAML federation; see www.suisseid.ch).

  • Allowed Values:

    • None

    • SuisseID

Privacy notice URL

The URL of the privacy notice.

Default proxy count

The default limit of indirections between the AuthnRequest receiver and the entity that authenticates the subject in SAML Proxying federation scenarios. DirX Access SAML SP endpoints honor the ProxyCount that is set in an incoming AuthnRequest. Nonetheless, if there is no ProxyCount specified in an incoming AuthnRequest, then this default value is imprinted. Special values: -1 means no ProxyCount attribute, i.e., no restriction; -2 means omitting the Scoping element entirely.

Authentication method identifier

The identifier of the employed authentication method (required for the SAML 'assertionConsumerService').