|
|
|
Defines a linked list of WS-Federation Provider properties, that is, name/value pairs.
An Sm_PolicyApi_WSFEDProviderProp_t structure consists of a single name/value pair. You define a set of properties for a given WS-Federation object through a linked list of Sm_PolicyApi_WSFEDProviderProp_t structures.
Syntax
typedef struct Sm_PolicyApi_WSFEDProviderProp_s
{
int iStructId;
char pszName[BFSIZE];
char pszValue[BFSIZE];
Sm_PolicyApi_WSFEDProviderProp_t* next;
} Sm_PolicyApi_WSFEDProviderProp_t;
Parameters
ID of the structure in Sm_PolicyAp_Structs_t. Should be set to Sm_PolicyApi_WSFEDProviderProp_ID.
Name of the WS-Federation Provider property.
Value of the WS-Federation Provider property.
Pointer to the next WS-Federation Provider property data in the linked list.
Each Sm_PolicyApi_WSFEDProviderProp_t structure contains a WS-Federation metadata property defined as a name/value pair. A complete set of properties for a particular object is defined as a linked list of Sm_PolicyApi_WSFEDProviderProp_t structures.
The following metadata properties apply to WS-Federation objects types:
Optional properties are specified in square brackets.
For Boolean values, a value of 1 denotes true; any other value denotes false.
The Property Name column also includes the corresponidng C Policy Management API macro name.
Common Properties
The following table specifies the metadata properties that are common to defining a Resource Partner or an Account Partner:
|
Property Name |
Type |
Description |
|---|---|---|
|
General |
||
|
Name WSFED_NAME |
String |
Name of the provider. |
|
[Description] WSFED_DESCRIPTION |
String |
Brief description of the provider. |
|
[SkewTime] WSFED_SKEW_TIME |
String |
The skew time between consumer and producer sides in seconds. This value is used to calculate validity duration of assertions and of SLO requests. The default value is 30. |
|
Versioning |
||
|
[WSFEDMajorVersion] WSFED_MAJOR_VERSION |
Int |
Version of WSFED protocol supported by this provider. The value of this property has to be set to 1. |
|
[WSFEDMinorVersion] WSFED_MINOR_VERSION |
Int |
Version of WSFED protocol supported by this provider. The value of this property has to be set to 0. |
|
[WSFEDSAMLMajorVersion] WSFED_SAML_MAJOR_ VERSION |
Int |
Version of SAML protocol supported by this provider. The value of this property has to be set to 1. |
|
[WSFEDSAMLMinorVersion] WSFED_SAML_MINOR_ VERSION |
Int |
Version of WSFED protocol supported by this provider. The value of this property has to be set to 1. |
Resource Partner Properties
The following table lists the metadata properties used to define a Resource Partner:
|
Property Name |
Type |
Description |
|---|---|---|
|
Domain WSFED_RP_DOMAIN |
OID |
The Domain OID where this Resource Partner is defined |
|
[Enabled] WSFED_ENABLED |
Bool |
Boolean indicating if the provider is enabled. If not provided, defaults to true. This property does not get stored physically to the property collection but is used to enable underlying policy. |
|
NetegrityAffiliateMinderAuthURL WSFED_RP_AUTHENTICATION_URL |
String |
The protected URL used to authenticate Resource Partner users. |
|
NameID |
||
|
[NameIdFormat] WSFED_RP_NAMEID_FORMAT |
String |
The URI for a WSFED name identifier. |
|
[NameIdType] WSFED_RP_NAMEID_TYPE |
Int |
Represents the type of name identifier: 0 - Static Text 1 - User Attribute 2 - DN Attribute Defaults to 1 |
|
[NameIdStatic] WSFED_RP_NAMEID_STATIC |
String |
The static text to be used as the name identifier when the NameIdType == 0. The Policy Management API will return an error if no value is specified for this property and NameIdType==0. |
|
[NameIdAttrName] WSFED_RP_NAMEID_ATTR_NAME |
String |
The attribute name (user or DN) which holds the name identifier when NameIdType == 1 or NameIdType == 2. If "NameIdType" is set to "1" or "2", "NameIdAttrName" property should have a value, otherwise the Policy Management API will return an error. |
|
[NameIdDNSpec] WSFED_RP_NAMEID_DN_SPEC |
String |
The DN spec used when the NameIdType == 2. If "NameIdType" is set to "2", "NameIdDNSpec" property should have a value, otherwise the Policy Management API will return error. |
|
[NameIdAllowNested] WSFED_RP_NAMEID_ALLOWED_ NESTED |
Bool |
Flag indicating whether nested groups are allowed when selecting a DN attribute for the name identifier. Defaults to zero. |
|
General |
||
|
KEY_RPID WSFED_KEY_RPID |
String |
The Resource Partner ID for WSFED Assertion Consumer. Must be a URI less than 1024 characters in length. Also this is the key using which properties associated to a provider can be looked up. |
|
APID WSFED_APID |
String |
The Resource Partner ID of the WSFED Assertion Producer. |
|
SSO |
||
|
[AuthenticationMethod] WSFED_RP_AUTHENTICATION_METHOD |
String |
The authentication method to use in the assertion. |
|
[ValidityDuration] WSFED_RP_VALIDITY_DURATION |
Int |
An integer number of seconds for which a generated assertion is valid. If not provided during Resource Partner creation, the default is 60 seconds. |
|
AssertionConsumerDefaultURL WSFED_RP_ASSERTION_CONSUMER_ |
String |
The default WSFED Assertion Consumer to use. |
|
[AuthenticationLevel] WSFED_RP_AUTHENTICATION_LEVEL |
Int |
The principal must have authenticated in a realm by an authentication scheme of at least this level or greater. If not supplied during Resrource Partner creation, this will default to 5. |
|
Signout |
||
|
[SLOEnabled] WSFED_RP_SLO_ENABLED |
Bool |
Boolean indicating if Signout is enabled for the Resource Partner. |
|
[SignOutCleanupURL] WSFED_RP_SIGNOUT_CLEANUP_URL |
String |
Sign-out cleanup URL of the Resource Partner. This property is mandatory if SLOEnabled is true. |
|
[SignOutConfirmURL] WSFED_RP_SIGNOUT_CONFIRM_URL |
String |
URL where the user will be redirected once the Sign-out at Account Partner is complete. (If there are multiple Resource Partners available then Sign-out confirm URL of the last Resource Partner is applicable.) |
|
Advanced |
||
|
[AssertionPluginClass] WSFED_RP_ PLUGIN_CLASS |
String |
The fully qualified Java class name for the Assertion Generator Plugin class to be used. |
|
[AssertionPluginParameters] WSFED_RP_ PLUGIN_PARAMS |
String |
The string containing parameters to be passed to the Assertion Generator Plugin. |
Account Partner Properties
The following table lists the metadata properties used to define an Account Partner:
|
Property Name |
Type |
Description |
|---|---|---|
|
General |
||
|
KEY_APID WSFED_KEY_APID |
String |
Identifier for the account partner. Among other things this identifier is used to identify assertion issuer. Also this is the key using which properties associated to a Account Partner can be looked up. |
|
RPID WSFED_RPID |
String |
Identifier of the Resource Partner. |
|
Signing |
||
|
[DisableSignatureProcessing] WSFED_DISABLE_SIGNATURE_ PROCESSING |
Bool |
Specifies whether signature processing is disabled. This setting is useful during initial setup of a Account Partner. When a provider is up and running, this setting will need to be set to false, to avoid security implications. Default value is zero. |
|
[DsigVerInfoIssuerDN] WSFED _DSIG_VERINFO_ALIAS |
String |
Used to locate the certificate of the provider in the key store if it is not provided inline. |
|
Users |
||
|
[XPath] WSFED_AP_XPATH |
String |
XPath query for disambiguating the principal. |
|
[LDAPSearchSpec] WSFED_AP_LDAP_SEARCH_SPEC |
String |
Search specification for LDAP directory. |
|
[ODBCSearchSpec] WSFED_AP_ODBC_SEARCH_SPEC |
String |
Search specification for ODBC directory. |
|
[WinNTSearchSpec] WSFED_AP_WINNT_SEARCH_SPEC |
String |
Search specification for WinNT directory. |
|
[CustomSearchSpec] WSFED_AP_CUSTOM_SEARCH_SPEC |
String |
Search specification for a custom directory. |
|
[ADSearchSpec] WSFED_AP_AD_SEARCH_SPEC |
String |
Search specification for AD directory. |
|
SSO |
||
|
[RedirectMode] WSFED_AP_SSO_REDIRECT_MODE |
Int |
Redirect mode for assertion attributes. The following values are valid: |
|
[SSODefaultService] WSFED_AP_SSO_DEFAULT_SERVICE |
String |
The default location of the Single Sign-on service. |
|
[Target] WSFED_AP_SSO_TARGET |
String |
Target resource at the destination site. |
|
[EnforceSingleUsePolicy] ENFORCE_SINGLE_USE_POLICY |
Bool |
If 1, the single use policy for POST assertions will be enforced, if 0, single use policy for POST assertions will not be enforced. Default set to 1. |
|
Signout |
||
|
[SLOEnabled] WSFED_AP_SLO_ENABLED |
Bool |
Boolean indicating if Signout is enabled for the Account Partner. If not supplied during Account Partner creation, this will default to disabled. |
|
[SignOutURL] WSFED_AP_SIGNOUT_URL |
String |
Sign-out URL of the Account Partner. This property is mandatory if SLOEnabled is true. |
|
Message Consumer Plug-in |
||
|
[APPluginClass] WSFED_AP_ PLUGIN_CLASS |
String |
Name of a Java class that implements customization of assertion consumption. |
|
[APPluginParameters] WSFED_AP_ PLUGIN_PARAMS |
String |
Parameters of the Java class that implements customization of assertion consumption. All parameters are concatenated into one line. |
|
Post Processing URL Support |
||
|
[UserNotFoundRedirectURL] WSFED_AP_USER_NOT_FOUND_ REDIRECT_URL |
String |
Contains an optional redirect URL to be used when - Auth Scheme cannot obtain a LoginID from the federation Message, given the configured query string |
|
[UserNotFoundRedirectMode] WSFED_AP_USER_NOT_FOUND_ REDIRECT_MODE |
0/1 |
Default is 0. 0: Http 302 redirect without passing federation messages 1: Http Form Post Redirect |
|
[FailureRedirectURL] WSFED_AP_FAILURE_REDIRECT_URL |
String |
Contains an optional redirect URL to be used when assertion processsing has failed. |
|
[FailureRedirectMode] WSFED_AP_FAILURE_REDIRECT_MODE |
0/1 |
Default is 0. 0: Http 302 redirect without passing federation messages 1: Http Form Post Redirect |
|
[InvalidRedirectURL] WSFED_AP_INVALID_REDIRECT_URL |
String |
Contains an optional redirect URL to be used when the assertion is invalid. |
|
[InvalidRedirectMode] WSFED_AP_INVALID_REDIRECT_MODE |
0/1 |
Default is 0. 0: Http 302 redirect without passing federation messages 1: Http Form Post Redirect |
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |