SAML Keywords
This section describes the custom SAML Keywords used in the DXA SAML implementation.
DXAPeerId
Applicable: IdP/SP
Name of an http:request parameter containing a peer configuration contract identifier (SAML metadata identifier).
Supported in non-WAYF initial binding requests sent to IdP/SP FEPs.
The DXAPeerId parameter supports the selection of a specific service binding within the SAML metadata via an index.
|
From legacy reasons, the indexes in |
Example
SAML IdP metadata with “example” configuration identifier contains:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://myservice/1.html" isDefault="true" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://myservice/2.html" index="1"/>Request to select AssertionConsumerService with
http://myservice/1.html URL
{saml_idp_endpoint_url}/SingleSignOnService?DXAPeerId=example:1Request to select AssertionConsumerService with
http://myservice/2.html URL
{saml_idp_endpoint_url}/SingleSignOnService?DXAPeerId=example:2DXAPeerEntityId
Applicable: IdP/SP
Name of an http:request parameter containing a peer entityID value (as defined in SAML metadata).
Supported in non-WAYF initial binding requests sent to IdP/SP FEPs.
The default service binding is selected within the SAML metadata.
TARGET
Applicable: IdP/SP
Name of an http:request parameter containing the actual target URL the user wants to access.
In accordance with official TARGET parameter (as specified by the SAMLv1.x specification) DXA supports this parameter also in the initial SSO/SLO request to the IdP (e.g., triggered by the SAML 1 WAYF page) resp.
SP (e.g., triggered by the SAML 2 WAYF page) to provide the desired target resource.
If the resource is a POST resource, then it is necessary to specify an additional parameter holding the HTTP POST parameters:
DXANameIDFormat
Applicable: SP
Name of an http:request parameter containing the value to be set to the samlp:Format attribute in samlp:NameIDPolicy child elements of
samlp:AuthnRequest elements.
This parameter may be set in initial SSO SP FEP requests.
DXANameIDAllowCreate
Applicable: SP
Name of an http:request parameter containing the value to be set to the samlp:AllowCreate attribute to be in samlp:NameIDPolicy child elements of samlp:AuthnRequest elements.
This parameter may be set in initial SP FEP requests.
DXASAMLProxying
Applicable: SP
Name of an http:request parameter containing the entityId value of an authn IdP to which SAML proxying is requested.
This parameter may be set in initial SSO SP FEP requests.
DXAProxyCount
Applicable: SP
Name of an http:request parameter containing the maximum number of proxying indirections.
This parameter may be set in initial SSO SP FEP requests.
DXAForceAuthn
Applicable: SP
Name of an http:request parameter containing the value to be set to the samlp:ForceAuthn attribute in samlp:AuthnRequest elements.
If the samlp:ForceAuthn is set to true, previous authentications will be ignored and new authentication will be required.
This parameter may be set in initial SSO SP FEP requests.
DXA-force-authn
Applicable: IdP
Holds the ForceAuthn flag in order to signal the authentication endpoint (usually the SAML IdP) to really enforce authentication instead of reusing an already existing authenticated session. May be used as HTTP servlet parameter as well as HTTP servlet attribute keyword.
This parameter may be set in initial SSO IdP FEP requests.
DXAIsPassive
Applicable: SP
Name of an http:request parameter containing the value of the
samlp:IsPassive attribute in samlp:AuthnRequest elements.
This parameter may be set in initial SSO SP FEP requests.
DXASendAssertionConsumerServiceIndex
Applicable: SP
Name of an http:request parameter containing the flag controlling whether to send the of the samlp:AssertionConsumerServiceIndex
attribute in samlp:AuthnRequest elements.
This parameter may be set in initial SSO SP FEP requests.
DXAAuthnContextClassRef
Applicable: SP
Name of an http:request parameter containing the
AuthnContextClassRef for constructing samlp:RequestedAuthnContext
child elements of samlp:AuthnRequest elements.
This parameter may be set in initial SSO SP FEP requests.
DXASendExtensions
Applicable: SP
Name of an http:request parameter containing the flag controlling whether and which samlp:Extensions child elements are to be sent.
This parameter may be set in initial SSO SP FEP requests.
DXAAttributeRequestClassification
Applicable: SP
Name of an http:request parameter containing the value that determines whether and how to classify attribute requests.
This parameter may be set in initial SSO SP FEP requests.
DXAOwnId
Applicable: SP
Name of an http:request parameter containing an index for an own indexed SAML service.
This parameter may be set in initial SSO SP FEP requests.
DXABinding
Applicable: IdP/SP
Name of an http:Request parameter containing the name of SAML binding to use.
Optional for initial SLO requests.
This parameter may be set in initial SLO SP/IdP FEP requests.
DXAIdPDiscoveryProfile
Applicable: IdP
Name of an http:Request parameter containing the flag that controls whether the common domain cookie is set.
This parameter may be set in initial SSO IdP FEP requests.
DXACommonDomainCookieWritingServiceUrl
Applicable: IdP
Name of an http:Request parameter containing the common domain cookie writing service URL used by the SAML IdP Discovery Profile.
This parameter may be set in initial SSO IdP FEP requests.
DXACommonDomainName
Applicable: IdP
Name of an http:Request parameter containing the common domain cookie writing service URL used by the SAML IdP Discovery Profile.
This parameter may be set in initial SSO IdP FEP requests.
DXACommonDomainServer
Applicable: SP
Name of an http:Request parameter containing the common domain servername used by the SAML IdP Discovery Profile.
This parameter may be set in initial SSO WAYF SP FEP requests.
DXAIdpId
Applicable: IdP
Name of an http:Request parameter containing the Identity Provider identifier set in the common domain cookie by the SAML IdP Discovery Profile.
This parameter may be set in initial SSO IdP FEP requests.
DXAUserConsentDirective
Applicable: IdP
Name of an http:Request parameter containing the directive on user consent.
This parameter may be set in (initial) SSO IdP FEP requests.
DXASubsequentAuthentication
Applicable: IdP
Name of an http:Request parameter that indicates the second processing pass and the fact whether the user was already authenticated when first reaching the FEP.
This parameter is set by the IdP FEP and is expected to be forwarded back to this component form authn application.
DXAAuthnMethodMappingKey
Applicable: IdP
The name of the parameter that carries the authentication mapping keys that allow easier definition of fine-grained authentication policies.
This parameter is also set by the IdP FEP itself for the authentication application in the case of an incoming samlp:AuthnRequest and if the
samlp:AuthnRequest includes samlp:RequestedAuthnContext child elements.
DXAAudienceRestriction
Applicable: SP
The name of the parameter that carries entityId values of SPs to which the to-be-issued assertion shall be addressed. This will be imprinted into the Conditions element of an AuthnRequest.
DxaProxyRestrictionAudience
Applicable: SP
The name of the parameter that carries entityId values of SPs to which a proxied assertion can be addressed. This will be imprinted into the Conditions element of an AuthnRequest.
DXANotBeforeSecs
Applicable: SP
The name of the parameter that carries desired assertion validity offset in seconds.
DXANotOnOrAfterSecs
Applicable: SP
The name of the parameter that carries desired assertion validity offset in seconds.