This section provides the name, type, and description for each WS-Federation meatadata property.
The following properties are for defining a Resource Partner or for defining an Account Partner or for both.
WSFED_AP_ADD_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for an AD directory.
WSFED_AP_CUSTOM_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for a custom directory.
WSFED_AP_FAILURE_REDIRECT_MODE
Required
No
Type
0/1
Description
WSFED_AP_FAILURE_REDIRECT_URL
Required
No
Type
String
Description
Contains an optional redirect URL to be used when assertion processing has failed.
WSFED_APID
Required
Yes
Type
String
Description
The ID of the Account Partner.
WSFED_AP_INVALID_REDIRECT_MODE
Required
No
Type
0/1
Description
WSFED_AP_INVALID_REDIRECT_URL
Required
No
Type
String
Description
Contains an optional redirect URL to be used when the assertion is invalid.
WSFED_AP_LDAP_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for the LDAP directory.
WSFED_AP_ODBC_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for an ODBC directory.
WSFED_AP_PLUGIN_CLASS
Required
No
Type
String
Description
Name of the Java class that implements customization of assertion consumption.
WSFED_AP_PLUGIN_PARAMS
Required
No
Type
String
Description
Parameters of the Java class that implements customization of assertion consumption. All parameters are concatenated into one line.
WSFED_AP_SIGNOUT_URL
Required
No
Type
String
Description
Signout URL of the Account Partner. This property is required if WSFED_AP_SLO_ENABLED is true.
WSFED_AP_SLO_ENABLED
Required
No
Type
Boolean
Description
Indicates whether Signout is enabled for the Account Partner. If not supplied during Account Partner creation, this defaults to not enabled.
WSFED_AP_SSO_DEFAULT_SERVICE
Required
No
Type
String
Description
The default location of the Single Sign-on service.
WSFED_AP_SSO_REDIRECT_MODE
Required
No
Type
Int
Description
Redirect mode for assertion attributes. Valid values:
WSFED_AP_SSO_TARGET
Required
No
Type
String
Description
Target resource at the destination site.
WSFED_AP_USER_NOT_FOUND_REDIRECT_MODE
Required
No
Type
0/1
Description
WSFED_AP_USER_NOT_FOUND_REDIRECT_URL
Required
No
Type
String
Description
Contains an optional redirect to be used in either of the following cases:
WSFED_AP_WINNT_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for a WinNT directory.
WSFED_AP_XPATH
Required
No
Type
String
Description
XPath query for disambiguating the principal.
WSFED_DESCRIPTION
Required
No
Type
String
Description
A brief description of the provider.
WSFED_DISABLE_SIGNATURE_PROCESSING
Required
No
Type
Boolean
Description
Specifies whether signature processing is disabled. This setting is useful during the initial setup of an Account Partner. When an Account Partner is up and running, this setting must be false to avoid security implications The default value is zero.
WSFED_DSIG_VERINFO_ALIAS
Required
No
Type
String
Description
Locates the certificate of the provider in the key store if it is not provided in-line.
WSFED_ENABLED
Required
No
Type
Bool
Description
Indicates whether the Resource Partner is enabled. If not provided, defaults to true. This property does not get stored physically to the property collections, but is used to enable underlying policy.
WSFED_ENFORCE_SINGLE_USE_POLICY
Required
No
Type
Boolean
Description
If set to a value of 1, the single-use policy for WS-Federation assertions will be enforced. If set to a value of 0, the single-use policy for assertions will not be enforced. The default is 1.
WSFED_KEY_APID
Required
Yes
Type
String
Description
Identifier for the Account Partner. This must be a URI less the 1024 characters long. In addition, this is the key with which properties associated with an Account Partner can be looked up.
WSFED_KEY_RPID
Required
Yes
Type
String
Description
The ID for the for the Resource Partner. This must be a URI less the 1024 characters long. In addition, this is the key with which the properties associated with a Resource Partner can be looked up.
WSFED_MAJOR_VERSION
Required
No
Type
Int
Description
Version of the WS-Federation protocol supported by this provider. The value of this property has to be 1.
WSFED_MINOR_VERSION
Required
No
Type
Int
Description
Version of WS-Federation protocol supported by this provider. The value of this property must be set to 0.
WSFED_NAME
Required
Yes
Type
String
Description
The name of the provider.
WSFED_RPID
Required
Yes
Type
String
Description
Identifier of the Resource Partner.
WSFED_RP_ASSERTION_CONSUMER_DEFAULT_URL
Required
Yes
Type
String
Description
The the URL of the default Assertion Consumer.
WSFED_RP_AUTHENTICATION_LEVEL
Required
No
Type
Int
Description
The principal must have authenticated in a realm by an authentication scheme of at least this level or greater. If not provided when the Resource Partner is created, the default is 5.
WSFED_RP_AUTHENTICATION_METHOD
Required
No
Type
String
Description
The authentication method to use in the assertion. This will typically be one of the authentication method values from the WS-Federation specification.
WSFED_RP_AUTHENTICATION_URL
Required
Yes
Type
String
Description
The protected URL used to authenticate Resource Partner users.
WSFED_RP_DOMAIN
Required
Yes
Type
OID
Description
The Resource Partner domain where this provider is defined.
WSFED_RP_ENDTIME
Required
No
Default
None
Description
The time by which an assertion must be generated.
Use the Perl time() method to help assign a time to this property. The time value is stored as a string. For example:
$WSFED_RP_ENDTIME=WSFED_RP_ENDTIME; $time=time() + 20; $ResourcePartner->Property($WSFED_RP_ENDTIME,"$time");
This property is used with WSFED_RP_STARTTIME to define a time restriction for the generation of assertions.
Set WSFED_RP_ENDTIME to 0 to end the time restriction immediately.
WSFED_RP_NAMEID_ALLOWED_NESTED
Required
No
Type
Boolean
Description
Indicates whether nested groups are allowed when selecting a DN attribute for the name identifer. The default is zero.
WSFED_RP_NAMEID_ATTR_NAME
Required
No
Type
String
Description
The attribute name (user or DN) that holds the name identifier when NameIdType is assigned to 1 or NameIdType is assigned to 2. If NameIdType is set to 1 or 2, then this property must had a value.
WSFED_RP_NAMEID_DN_SPEC
Required
No
Type
String
Description
The DN specification used when the NameIdType is assigned to 2. If NameIdType is assigned to 2, this property must have a value.
WSFED_RP_NAMEID_FORMAT
Required
No
Type
String
Description
The URI for a WS-Federation name identifier.
WSFED_RP_NAMEID_TYPE
Required
No
Type
Int
Description
One of the following types of name identifier:
WSFED_RP_NAMEID_STATIC
Required
No
Type
String
Description
The static text to be used as the name identifier when the NameIdType is assigned to 0. An error is returned if there is no value specified for this property and NameIdType is assigned to 0.
WSFED_RP_PLUGIN_CLASS
Required
No
Type
String
Description
The fully-qualified Java class name for the Assertion Generator plug-in.
WSFED_RP_PLUGIN_PARAMS
Required
No
Type
String
Description
The parameters passed to the Assertion Generator plug-in.
WSFED_RP_SIGNOUT_CLEANUP_URL
Required
No
Type
String
Description
Signout cleanup URL of the Resource Partner. This property is required if Signout is enabled.
WSFED_RP_SIGNOUT_CONFIRM_URL
Required
No
Type
String
Description
The URL where the user is redirected when Sign-out is complete and if the request does not have a reply query parameter. Even though this property is part of the Resource Partner object, it is the URL that the user is redirected to when Signout at the Account Partner is complete. If there are multiple Resource Partners available, then the Signout Confirm URL of the last Resource Partner is used. The default is disabled.
WSFED_RP_SLO_ENABLED
Required
No
Type
Boolean
Description
Indicates whether Signout is enabled for the Resource Partner.
WSFED_RP_STARTTIME
Required
No
Default
None
Description
The time when a time restriction for generating an assertion becomes effective.
Use the Perl time() method to help assign a time to this property. The time value is stored as a string. For example:
$WSFED_RP__STARTTIME=WSFED_RP_STARTTIME; $time=time() + 10; $ResourcePartner->Property($WSFED_RP_STARTTIME,"$time");
This property is used with WSFED_RP_ENDTIME to define a time restriction for the generation of assertions.
Set WSFED_RP_STARTTIME to 0 to start the time restriction immediately.
WSFED_RP_VALIDITY_DURATION
Required
No
Type
Integer
Description
The number of seconds for which a generated assertion is valid. If not provided when the Resource Partner is created, the default is 60 seconds.
WSFED_SAML_MAJOR_VERSION
Required
No
Type
Integer
Description
The version of the SAML protocol supported by this provider. The value is 1.
WSFED_SAML_MINOR_VERSION
Required
No
Type
Integer
Description
The version of the SAML protocol supported by this provider. The value is 1.
WSFED_SKEW_TIME
Required
No
Type
String
Description
The skew time between the consumer and the producer side in seconds. This value is used to calculate validity duration of assertions and of Signout requests. The default value is 30.
Copyright © 2014 CA.
All rights reserved.
|
|