To manually configure the SAML properties, perform the following steps:
AFM_HOME\conf\afm\
|
Parameter |
Required/ |
Description |
|---|---|---|
|
SamlIssuer |
Required |
Specify an identifier for the Issuer of SAML response that is making the claim(s) in the assertion. This property would set the SAML <ISSUER> tag. For example, ArcotCSSO. |
|
SamlStartLag |
Optional |
Specify the time (in milliseconds) to calculate the NotBefore time of an assertion. This is used in the condition when a valid assertion gets rejected because of skew of the time clocks between IdP and SP. Defaults value: 0 |
|
SamlResponseValidity |
Optional |
Specify the time (in milliseconds) for which the SAML response issued by AFM is valid. Default value: 300000 (5 minutes) |
|
SignSamlAssertionOnly |
Optional |
Specify whether the complete SAML response or only the assertion part of the response needs to be signed. If the complete response needs to be signed, set this property to false. Default value: true (only the SAML assertion would be signed) |
|
CanonicalizationMethod |
Optional |
Specify the canonicalization method that is applied to the SAML response before signing it. Default value: ALGO_ID_C14N_EXCL_WITH_COMMENTS |
|
SignatureMethod |
Optional |
Specify the signing algorithm used to sign the SAML response. Default value: ALGO_ID_SIGNATURE_RSA_SHA1 |
|
Audience |
Optional |
Specify the comma-separated (,) list of identifiers that can use the SAML response for taking any access decisions. If not specified, then only the issuer is added to the audience in the SAML response. |
|
AssertionConsumerServiceURL |
Optional |
Specify the URL where the SAML response (generated after authentication) has to be redirected. If the Service Provider is not sending this in the SAML request, then this property has to be configured. If the incoming SAML request has a value for the AssertionConsumerServiceURL, then that takes precedence over the configured value. |
|
LogoutResponseRedirectURL |
Optional |
Specify the URL where the SAML logout response is sent after completing the logout procedure. This is not required if the logout request is processed through the Web service. |
|
SamlIDPKeyStore |
Required |
Specify the absolute or relative path of the Identity Provider’s key store file on the file system. This file has both the private key and certificate that are used to sign the SAML response. The syntax to specify the relative path is: /samlcerts/IDP.keystore |
|
SamlIDPKeyStoreAlias |
Required |
Specify an alias of the private key and certificate stored in the Identity Provider's keystore. Default value: arcotadapter |
|
SamlIDPKeyStorePassword |
Required |
Specify the password for the keystore of the Identity Provider. Default value: 123456 |
|
SamlSPTrustStore |
Optional, if SamlSPSignVerifyCert is configured |
Specify the absolute or relative path of the trust store file of the Service Provider. This file has a certificate that is used to verify the signed SAML requests from the Service Provider. The syntax to specify the relative path is: /samlcerts/SP.truststore |
|
SamlSPTrustStoreAlias |
Optional, Required only if SamlSPTrustStore is configured |
Specify the alias with which the certificate is stored in the truststore of the Service Provider. Default value: arcotadapter |
|
SamlSPTrustStorePassword |
Optional, Required only if SamlSPTrustStore is configured |
Specify the password for the truststore of the Service Provider. Default value: 123456 |
|
SamlSPSignVerifyCert |
Optional, if SamlSPTrustStore is configured |
Specify the absolute or relative path of the X.509 certificate of the Service Provider. This is used to verify the signed SAML requests from the Service Provider. The syntax to specify the relative path is: /samlcerts/spcert.cer |
|
Copyright © 2013 CA.
All rights reserved.
|
|