WsFederationEndpoint

WS-Federation endpoint configuration allows to create and edit configuration settings for WS-Federation endpoints with Passive Requestor Profile capabilities for Web-based environments and WS-Trust STS endpoints for Web services environments.

Description

Description of the configuration object

Context path

The context path of the web application. If not specified, the context path is set to the default 'unknown' value.

Do exclude from authorization

Whether or not the web application shall be excluded from authorization process defined by the DirX Access PEP.

Port assignment identifiers

Identifiers of the port assignments for the web application. Port assignments specify the HTTP(S) ports on which the web application will listen.

Primary port assignment identifier

Identifier of the primary port assignment for given web application. It can be used for calculation of the FEP location, if location is not specified.

CORS parameters

Additional CORS parameters to those already generated from the existing endpoint configuration. CORS parameters are used to filter CORS requests.

Allowed origins

Origins allowed in the Origin header when filtering CORS requests. This parameter has to be combined with 'allowedMethods' and 'allowedHeaders'. According to the CORS specification, the Origin header can contain the string null. It is possible to include this string in this configuration property with following meaning:

  • without null included - Origin header null leads to response FORBIDDEN,

  • with null included - Origin header null leads to request being further processed,

  • * enables also the null string.

Allowed methods

HTTP request methods which the CORS filter will accept. Set GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH to allow any HTTP request method.

Allowed headers

HTTP request headers which the CORS filter will accept. Set * to allow any HTTP request header.

Signature validation

The signature validation policy. Currently recognized values are:

  • disabled - no validation is performed;

  • optional - if the signature is present, it is validated and it must pass the validation check;

  • required - the signature must be present and it must pass the validation check.

  • Allowed Values:

    • disabled

    • optional

    • required

Do perform certificate path validation

Whether or not certificate path validation according to RFC 3280 and RFC 5280 is enabled or disabled. When the validation is disabled, the complete certificate path is still built until the trust anchor certificate and the certificate signatures are validated for all certificates in the path. As a result, the successfully validated certificate can be assumed to be trusted.

Do trim certificate paths

Whether or not trusted CA certificates are trimmed from certificates' chains of end user and CA certificates before the certificate validation.

Certificate revocation check

The certificate revocation check policy. Currently recognized values are none, CRL, OCSP and CRL with OCSP.

  • Allowed Values:

    • nocheck

    • crlcheck

    • ocspcheck

    • bothcheck

FEP keystore

The holder holding key store configuration of the FEP.

Keystore identifier

The identifier of the keystore used for cryptography purposes. It can be selected from items already configured.

Keystore password

The password of the keystore object.

Signing key alias

The alias of the key entry contained in the keystore which will be used for signing purposes. The alias is selected from the keystore’s key entry aliases.

Signing key password

The signing key entry password.

Signature method

XML signature method. The method is used for SAML protocol messages, SAML assertions, and SAML metadata.

Decryption key alias

The alias of the key entry contained in the keystore which will be used for decrypting purposes. The alias is selected from the keystore’s key entry aliases.

Decryption key password

The decrypting key entry password.

Signature validation certificate aliases

The aliases of the certificates contained in the keystore which will be used for signature validation purposes of the peer side. The related certificates come to the metadata of this FEP endpoint.

Entity identifier

The identifier for the Entity descriptor in Federation metadata. If no identifier is provided, the default value 'unknown' is used.

Issuer URI

The security token issuer URI. If no URI is provided, the default value 'unknown' is used.

Default lifetime

The default lifetime of the WS-Federation response (RSTR).

Token encryption required

Whether or not the security token is to be encrypted.

Proof key encryption required

Whether or not the proof key is to be encrypted.

Do include offered claims

Whether or not offered claims are always included in the RSTR message under the conditions defined in the 'RSTR Claim Types Resolution'.

Authentication method identifiers via SOAP Security headers

The identifiers of the supported authentication methods via SOAP Security headers (consuming initial authentication credentials).

Authentication method identifier via OnBehalfOf element

The identifier of the authentication method used to authenticate the subject in 'OnBehalfOf' section of RST.

SAML assertion construction template identifier

The identifier of the SAML assertion construction template. The template is used to build a SAML assertion that is placed into a RequestSecurityTokenResponse (RSTR) message as a RequestedSecurityToken attribute.

Peer metadata identifiers

The identifiers of peer metadata configurations.

PEP identifier

The identifier of the Web PEP to be used for the endpoint.

Logical service offered names

Logical services offered names.

Do allow RST renewing

Whether or not STS issues renewable tokens.

Do RST renewing OK

Whether or not STS should accept renewable tokens for renewal.

RST key type

The RST key type defined by schema.

RST token type

The RST token type defined by its URN.

  • Allowed Values:

    • urn:oasis:names:tc:SAML:1.0:assertion

    • urn:oasis:names:tc:SAML:2.0:assertion

Default sign-out wtrealm

The wtrealm used by the successful sign-out, supposing there is neither wreply nor wtrealm parameter in the original sign-out request. If this wtrealm is a URL, then after the sign-out, the response contains redirection to given URL. Otherwise, it tries to find metadata with corresponding peer address and uses their PassiveRequestorEndpoint as the redirection target.