SamlAssertionInterpretationTemplate

SAML assertion interpretation template configuration allows to create and edit interpretation templates for SAML assertion elements. A SAML assertion interpretation template provides instructions for handling SAML assertion objects received from identity providers (IdPs), for example:

  • Defining an acceptance interval to handle possible clock shifts between SPs and IdPs.

  • Determining how an SP should correlate incoming SAML assertion objects against user accounts. A SAML assertion interpretation can also be used to exercise control over the presence of specific SAML assertion attributes. SAML assertions carry a large, flexible and complex amount of information compared to other authentication methods like X.509 and Kerberos tickets. SAML-based authentication methods need instructions on how to interpret this information. The SAML assertion interpretation templates provide the SAML authentication methods with details on how to handle SAML assertion objects and are linked by reference to the SAML authentication methods.

Description

Description of the configuration object

Time tolerance

The tolerance (in seconds) regarding timing differences between SAML assertion producer and consumer.

Do check SAML assertion replay

Whether or not SAML assertion replay check will be performed during the incoming SAML assertion object processing in the DirX Access Services. We recommend enabling the replay check in production environments.

Do require SAML authentication statement

Whether or not SAML AuthnStatement child elements are required to be presented in SAML assertion objects (note that this refers to an after-the-fact checking: it allows for enforcing the presence of SAML AuthnStatement child elements in presented SAML assertion objects but does not provide any means for requesting the imprinting of such elements from the SAML IdP.

SAML assertion correlation field

The XPath expression that points to identity data (in SAML assertion) that should be used for correlation between SAML assertion objects and user accounts. Note that the enablement of account correlation is subject to configuration settings in the authentication method.

User account correlation field

The name of the LDAP attribute that should be used for correlation between SAML assertions and user accounts. Note that the enablement of account correlation is subject to configuration settings in the authentication method.

User authentication correlation field

If a SAML assertion is correlated with a user, this LDAP attribute will be used as authentication identifier of the user.

SSO SAML attribute template identifiers

The identifiers to the SAML attribute templates that describe the requirements on the SAML assertion.