This section contains the following topics:
This section contains an alphabetized reference of the SAML 2.0 metadata properties supported in the Perl Policy Management API.
The properties apply to one or more of the following SAML 2.0 objects:
A SAML 2.0 affiliation is a set of entities that share a single federated namespace of unique Name IDs for principals.
The Identity Provider creates SAML assertions for the Service Provider that configured the Identity Provider and its associated SAML 2.0 authentication scheme.
A Service Provider provides services (such as access to applications and other resources) to principals within a federation.
A Service Provider uses a SAML 2. 0 authentication scheme to transparently validate a principal based on the information in a SAML assertion. The assertion is supplied by the Identity Provider associated with the authentication scheme.
Reference Notes
SAML_AFFILIATION
No
None
The SAML 2.0 affiliation to associate with this object.
Service Providers share the Name ID properties across the affiliation. IdentityProviders share the user disambiguation properties across the affiliation.
A Service Provider or Identity Provider can belong to only one SAML 2.0 affiliation.
If a SAML affiliation is specified, the NAMEID properties (for example, SAML_SP_NAMEID_FORMAT) are not used. SiteMinder uses the NAMEID information in the specified affiliation.
An Identity Provider is assigned to an affiliation through its associated SAML 2.0 authentication scheme.
For more information about SAML 2.0 affiliations, see the description of the CreateSAMLAffiliation method.
SAML_AUDIENCE
Yes
None
The URI of the expected audience for a Service Provider. The audience expected by the Service Provider must match the audience specified in the assertion.
The audience might also be sent in an authentication request.
SAML_DESCRIPTION
No
None
A brief description of the affiliation, authentication scheme, or Service Provider object.
SAML_DISABLE_SIGNATURE_PROCESSING
No
0
Specifies whether to disable all signature validation, including signing.
It may be useful to disable signature validation during the initial setup of a provider and during debugging. During normal runtime, this property should be set to 0 (signature processing enabled).
Valid values: 0 (false) and 1 (true).
SAML_DSIG_ALGO
No
1
Specifies the XML Federation Signature algorithm with one of the following values:
1 = RSAwithSHA1
2 = RSAwithSHA256
SAML_DSIG_VERINFO_ISSUER_DN
With SAML 2.0 Authentication Schemes:
Required only if SAML_DISABLE_SIGNATURE_PROCESSING is 0 and one or both of the following are 1:
With Service Providers:
Required only if SAML_DISABLE_SIGNATURE_PROCESSING is 0 and one or both of the following are 1:
None
If the certificate of the Service Provider is not provided inline, this value is used along with SAML_DSIG_VERINFO_SERIAL_NUMBER to locate the certificate in the key store.
SAML_DSIG_VERINFO_SERIAL_NUMBER
With SAML 2.0 Authentication Schemes:
Required only if SAML_DISABLE_SIGNATURE_PROCESSING is 0 and one or both of the following are 1:
With Service Providers:
Required only if SAML_DISABLE_SIGNATURE_PROCESSING is 0 and one or both of the following are 1:
None
If the certificate of the Service Provider is not provided inline, this value is used along with SAML_DSIG_VERINFO_ISSUER_DN to locate the certificate in the key store.
SAML_ENABLE_SSO_ARTIFACT_BINDING
No
0
Specifies whether artifact binding is supported by the Service Provider and enabled by the Identity Provider.
Valid values: 0 (false) and 1 (true).
SAML_ENABLE_SSO_POST_BINDING
No
0
Specifies whether HTTP POST binding is supported by the Service Provider and enabled by the Identity Provider.
Valid values: 0 (false) and 1 (true).
See also SAML_DSIG_VERINFO_ISSUER_DN and SAML_DSIG_VERINFO_SERIAL_NUMBER.
SAML_ENABLED
No
1
Specifies whether the Service Provider is activated.
Valid values: 0 (false) and 1 (true).
SAML_IDP_AD_SEARCH_SPEC
No
None
Search specification for AD directories.
If user disambiguation is being performed on a user in an AD directory, but no AD search specification has been provided for this property, the default search specification defined on the SiteMinder User Directory Properties dialog is used.
Assigning a search specification to this property is recommended for the following reasons:
When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
SAML_IDP_ARTIFACT_RESOLUTION_DEFAULT_SERVICE
Yes, if SAML_ENABLE_SSO_ARTIFACT_BINDING is 1
None
A URL specifying the default artifact resolution service for the Identity Provider.
SAML_IDP_BACKCHANNEL_AUTH_TYPE
No
0
Specifies the type of authentication to use on the back channel. Valid values:
SAML_IDP_CUSTOM_SEARCH_SPEC
No
None
Search specification for custom user directories. If user disambiguation is being performed on a user in a custom directory, but no search specification is provided, the default search specification defined on the SiteMinder User Directory Properties dialog is used.
When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the SiteMinder User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
SAML_IDP_LDAP_SEARCH_SPEC
No
None
Search specification for LDAP directories.
If user disambiguation is being performed on a user in an LDAP directory, but no search specification has been provided for this property, the default search specification defined on the SiteMinder User Directory Properties dialog is used.
Assigning a search specification to this property is recommended for the following reasons:
When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
SAML_IDP_ODBC_SEARCH_SPEC
No
None
Search specification for ODBC directories.
If user disambiguation is being performed on a user in an ODBC directory, but no ODBC search specification has been provided for this property, the default search specification defined on the SiteMinder User Directory Properties dialog is used.
Assigning a search specification to this property is recommended for the following reasons:
When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
SAML_IDP_PASSWORD
Yes, if SAML_IDP_BACKCHANNEL_AUTH_TYPE is set to 0 or 1
None
The password to use for the back-channel authentication. The password is only used with the back-channel authentication types Basic and Client Cert.
SAML_IDP_PLUGIN_CLASS
No
None
The fully qualified name of a Java class that extends the functionality of this SAML 2.0 authentication scheme. The custom functionality is provided by an implementation of the interface MessageConsumerPlugin.java.
Authentication has two phases-user disambiguation and user authentication (validation of the disambiguated user's credentials).
If a plugin is configured for the authentication scheme, it is called as follows:
Note: The plugin is not called in this phase if a search specification is not provided for the user directory where disambiguation is to occur (for example, SAML_IDP_LDAP_SEARCH_SPEC for an LDAP directory). In this case, the Policy Server performs the disambiguation, not the authentication scheme.
A SAML 2.0 authentication scheme can be extended by only one message consumer plugin.
SAML_IDP_PLUGIN_PARAMS
No
None
Parameters to pass into the custom authentication scheme extension specified in SAML_IDP_PLUGIN_CLASS.
The syntax of the parameter string is determined by the custom object.
SAML_IDP_REDIRECT_MODE_FAILURE
No
0
The redirection mode for SAML_IDP_REDIRECT_URL_FAILURE. Valid values:
SAML_IDP_REDIRECT_MODE_INVALID
No
0
The redirection mode for SAML_IDP_REDIRECT_URL_INVALID. Valid values:
SAML_IDP_REDIRECT_MODE_USER_NOT_FOUND
No
0
The redirection mode for SAML_IDP_REDIRECT_URL_USER_NOT_FOUND. Valid values:
SAML_IDP_REDIRECT_URL_FAILURE
No
None
The redirection URL to use when the authentication information passed to the authentication scheme is not accepted to authenticate the user.
SAML_IDP_REDIRECT_URL_INVALID
No
None
The redirection URL to use when the authentication information passed to the authentication scheme is not formatted according to the SAML 2.0 standard.
SAML_IDP_REDIRECT_URL_USER_NOT_FOUND
No
None
The redirection URL to use in either of these circumstances:
If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the SiteMinder User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
SAML_IDP_REQUIRE_ENCRYPTED_ASSERTION
No
0
Specifies whether the assertion selected for authentication must be encrypted. If this property is 1 and the authentication scheme is passed an unencrypted assertion, the assertion cannot be authenticated.
Valid values: 0 (false) and 1 (true).
SAML_IDP_REQUIRE_ENCRYPTED_NAMEID
No
0
Specifies whether the Name ID of the principal contained in the assertion must be encrypted. If this property is 1 and the the Name ID is not encrypted, the assertion cannot be authenticated.
Valid values: 0 (false) and 1 (true).
SAML_IDP_SAMLREQ_ATTRIBUTE_SERVICE
No
None
The URL of the Attribute Service on the Attribute Authority.
SAML_IDP_SAMLREQ_ENABLE
Yes
0
Indicates whether the SAML Requester is enabled.
Valid values: 0 (false) and 1 (true).
SAML_IDP_SAMLREQ_GET_ALL_ATTRIBUTES
No
0
Indicates whether the query sent to the Attribute Authority should contain no attributes. This is a short-hand for the Attribute Authority to return all defined attributes.
SAML_IDP_SAMLREQ_NAMEID_ALLOW_NESTED
No
0
Indicates whether nested groups are allowed when selecting a DN attribute for the name identifier.
Valid values: 0 (false) and 1 (true).
SAML_IDP_SAMLREQ_NAMEID_ATTR_NAME
Yes when NameIdTYpe is set to 1 or 2.
None
The attribute name (user or DN) that holds the identifier name when NameIdType is set to 1 or 2.
SAML_IDP_SAMLREQ_NAMEID_DN_SPEC
Yes when NamedIdTYpe is set to 2.
None
The DN specification used when the NameIdType is set to 2.
SAML_IDP_SAMLREQ_NAMEID_FORMAT
No
None
The URI for a SAML 2.0 name identifier.
SAML_IDP_SAMLREQ_NAMEID_STATIC
Yes when NameIdType is set to 0.
None
The static text to be used when NameIdType is set to 0.
SAML_IDP_SAMLREQ_NAMEID_TYPE
No
1 (user attribute)
Represents the type of the name identifier.
Valid values: 0 (static text), 1 (user attribute), and 2 (DN attribute).
SAML_IDP_SAMLREQ_REQUIRE_SIGNED_ASSERTION
No
0
Indicates whether the assertion returned in response to an <AttributeQuery> must be signed.
Valid values: 0 (false) and 1 (true).
SAML_IDP_SAMLREQ_SIGN_ATTRIBUTE_QUERY
No
0
Indicates whether the attribute query must be signed.
Valid values: 0 (false) and 1 (true).
SAML_IDP_SIGN_AUTHNREQUESTS
No
0
Specifies whether authentication requests will be signed.
Valid values: 0 (false) and 1 (true).
SAML_IDP_SPID
Yes
None
The unique provider ID of the Service Provider being protected by this authentication scheme.
SAML_IDP_SPNAME
Yes, if SAML_IDP_BACKCHANNEL_AUTH_TYPE is set to 0 or 1
None
The name of the Service Provider involved in the back-channel authentication. The Service Provider name is used with the back-channel authentication types Basic and Client Cert.
SAML_IDP_SSO_DEFAULT_SERVICE
Yes
None
The URL of the Identity Provider's single sign-on service, for example:
http://mysite.netegrity.com/affwebservices/public/saml2sso
SAML_IDP_SSO_ENFORCE_SINGLE_USE_POLICY
No
1
Specifies whether to enforce a single-use policy for HTTP POST binding.
Setting this property to 1 (the default) ensures that an assertion cannot be ``replayed'' to a Service Provider site to establish a second session, in accordance with SAML POST-specific processing rules.
The single-use policy requirement is enforced even in a clustered Policy Server environment with load-balancing and failover enabled.
Valid values: 0 (false) and 1 (true).
SAML_IDP_SSO_REDIRECT_MODE
No
0
Specifies the method by which response attribute information is passed when the user is redirected to the target resource.
A response passes user attributes, DN attributes, static text, or customized active responses from the Policy Server to a SiteMinder Agent after the Agent isseus a login or authorization request. For more information about response attributes, see CreateAttribute().
Valid values:
Server-side redirects allow passing information to an application within the server application itself. Response attribute data is never sent to the user's browser. This redirection method is part of Java Servlet specification and is supported by all standards-compliant servlet containers.
SAML_IDP_SSO_TARGET
No
None
The URL of the target resource at the Service Provider site. For example, the target might be a web page or an application.
SAML_IDP_WINNT_SEARCH_SPEC
No
None
Search specification for WinNT directories. If user disambiguation is being performed on a user in a WinNT directory, but no search specification is provided, the default search specification defined on the SiteMinder User Directory Properties dialog is used.
When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the SiteMinder User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
SAML_IDP_XPATH
No
None
The XPath query that extracts the user's login ID from an assertion. The login ID is then used to disambiguate the user.
By default, if no XPath is provided, an attempt is made to extract the login ID from the Assertion/Subject/NameID element of the SAML 2.0 Response message.
Once successfully extracted, the login ID is inserted into the search string specified for the user directory, and the disambiguation phase begins.
When defined for an affiliation, the XPath is shared by all Identity Providers across the affiliation.
SAML_KEY_AFFILIATION_ID
Yes
None
The URI for the affiliation. The ID is used to verify that a Service Provider and Identity Provider are members of the same affiliation-for example:
The affiliation ID is specified in the SPNameQualifier attribute of the requests and assertions.
SAML_KEY_IDP_SOURCEID
No
A hex-encoded SHA-1 hash of the SAML_KEY_IDPID value
A hex-encoded 20-byte sequence identifier for the artifact issuer. This value uniquely identifies the artifact issuer in the assertion artifact.
The authentication scheme uses the source ID as a key to look up Identity Provider metadata.
The string length must be exactly 40 characters. Only a lower case hex string will be stored.
SAML_KEY_IDPID
Yes
None
The provider ID of the Identity Provider for this authentication scheme. This ID:
SAML_KEY_SPID
Yes
None
The unique provider ID of this Service Provider.
SAML_MAJOR_VERSION
No
2
The major version of the SAML protocol that is supported. If a value is supplied, it must be 2.
SAML_MINOR_VERSION
No
0
The minor version of the SAML protocol that is supported. If a value is supplied, it must be 0.
SAML_NAME
Yes
None
The name of the affiliation, authentication scheme, or Service Provider.
The name must be globally unique. With SAML 2.0 affiliations and Service Providers, the name must be lower case.
SAML_OID
No, when the affiliation object is being created (SiteMinder supplies the object identifier during object creation); it is required when custom code references an existing object
None
The unique object identifier for the affiliation object.
The SAML Affiliation Properties dialog box has no corresponding field for this property.
SAML_SKEWTIME
No
30
The difference, in seconds, between the system clock time of the Identity Provider and the system clock time of the Service Provider, as follows:
Skew time is used to calculate the validity duration of assertions and single logout requests. The value provided must be a String representing a positive integer.
SAML_SLO_REDIRECT_BINDING
No
0
Specifies whether HTTP redirect binding is supported for single logout.
Valid values: 0 (false) and 1 (true).
See also SAML_DSIG_VERINFO_ISSUER_DN and SAML_DSIG_VERINFO_SERIAL_NUMBER.
SAML_SLO_SERVICE_CONFIRM_URL
No
None
The URL where a user is redirected after single logout is completed.
SAML_SLO_SERVICE_RESPONSE_URL
No
None
The response location for the single logout service. This property allows SLO response messages to be sent to a different location from where request messages are sent.
SAML_SLO_SERVICE_URL
Yes, if SAML_SLO_REDIRECT_BINDING is 1
None
With HTTP-Redirect bindings, the Identity Provider URL where single logout requsts are sent.
SAML_SLO_SERVICE_VALIDITY_DURATION
No
60 (applies if a value is not provided and SAML_SLO_REDIRECT_BINDING is 1)
The number of seconds for which a single logout request is valid.
The value provided must be a String representing a positive integer.
See also SAML_SKEWTIME.
SAML_SP_ARTIFACT_ENCODING
No
FORM (applies if a value is not provided and SAML_ENABLE_SSO_ARTIFACT_BINDING is 1)
Specifies the encoding to use for the artifact binding. Valid values:
FORM and URL encoding is accomplished according to SAML 2.0 specifications.
SAML_SP_ASSERTION_CONSUMER_DEFAULT_URL
Yes
None
The Service Provider URL where generated assertions are sent, for example:
http://mysite.netegrity.com/affwebservices/public/saml2assertionconsumer
SAML_SP_AUTHENTICATION_LEVEL
No
5
This property specifies the minimum protection level required for the authentication scheme that authenticates the principal associated with the current assertion.
SAML_SP_ATTRSVC_AD_SEARCH_SPEC
No
None
Search specification for an AD directory.
SAML_SP_ATTRSVC_CUSTOM_SEARCH_SPEC
No
None
Search specification for a custom directory.
SAML_SP_ATTRSVC_ENABLE
No
0
Indicates whether the Attribute Authority is enabled.
Valid values: 0 (false) and 1 (true).
SAML_SP_ATTRSVC_LDAP_SEARCH_SPEC
No
None
Search specification for an LDAP directory.
SAML_SP_ATTRSVC_ODBC_SEARCH_SPEC
No
None
Search specification for an ODBC directory.
SAML_SP_ATTRSVC_REQUIRE_SIGNED_QUERY
No
None
Specifies whether the attribute query must be signed.
SAML_SP_ATTRSVC_SIGN_ASSERTION
No
0
Indicates whether the SAML assertion should be signed.
Valid values: 0 (false) and 1 (true).
SAML_SP_ATTRSVC_SIGN_RESPONSE
No
0
Indicates whether the SAML response should be signed.
Valid values: 0 (false) and 1 (true).
SAML_SP_ATTRSVC_VALIDITY_DURATION
No
60
The number of seconds for which a generated assertion is valid.
SAML_SP_ATTRSVC_WINNT_SEARCH_SPEC
No
None
Search specification for a WinNT directory.
SAML_SP_AUTHENTICATION_URL
Yes
None
The protected URL for authenticating users of this Service Provider.
SAML_SP_AUTHN_CONTEXT_CLASS_REF
No
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
The class of information that a Service Provider may require to assess its confidence in an assertion. The class is specified in the assertion's AuthnContextClassRef element.
For example, the default authentication context class is Password. This class applies when a principal authenticates through the presentation of a password over an unprotected HTTP session.
Other examples of authentication context class include InternetProtocol (authentication through a provided IP address), X509 (authentication through an X.509 digital signature), and Telephony (authentication through the provision of a fixed-line telephone number transported via a telephony protocol).
The authentication context class is a URI with the following initial stem:
urn:oasis:names:tc:SAML:2.0:ac:classes:
The SAML 2.0 authentication context specification defines the URIs that can be provided as authentication context classes. The class must also be appropriate for the authentication level defined for the Service Provider.
SAML_SP_COMMON_DOMAIN
Yes, if SAML_SP_ENABLE_IPD is 1
None
The common cookie domain for the Identity Provider Discovery profile. The domain must be a subset of the host specified in SAML_SP_IPD_SERVICE_URL.
SAML_SP_CUSTOM_TIME_OUT
No
None
Specifies the value of the SessionNotOnOrAfter parameter set in the assertion. This property is only valid if SAML_SP_SESSION_NOTORAFTER_TYPE is set to Custom.
SAML_SP_DOMAIN
No
None
The unique ID of the affiliate domain where the Service Provider is defined.
The SAML Service Provider Properties dialog box has no corresponding field for this property.
SAML_SP_ENABLE_IPD
No
0
Specifies whether the Identity Provider Discovery profile is enabled.
Valid values: 0 (false) and 1 (true).
SAML_SP_ENCRYPT_ASSERTION
No
0
Specifies whether to encrypt the generated assertion at the Service Provider site. By default, the assertion is not encrypted.
Valid values: 0 (false) and 1 (true).
SAML_SP_ENCRYPT_BLOCK_ALGO
No
tripledes
The type of block encryption algorithm to use. Valid values:
SAML_SP_ENCRYPT_CERT_ISSUER_DN
Yes, in either of the following circumstances:
If either of the following is 1:
If any assertion attribute statements require encryption. These attributes are defined on the Attributes tab of the SAML Service Provider Properties dialog box.
None
The Issuer DN portion of a public key certificate to be used for encryption. This property is used with SAML_SP_ENCRYPT_CERT_SERIAL_NUMBER to locate the Service Provider's certificate in the keystore if it is not provided inline.
SAML_SP_ENCRYPT_CERT_SERIAL_NUMBER
Yes, in either of the following circumstances:
If either of the following is 1:
If any assertion attribute statements require encryption. These attributes are defined on the Attributes tab of the SAML Service Provider Properties dialog box.
None
The serial number portion of a public key certificate to be used for encryption. This property is used with SAML_SP_ENCRYPT_CERT_ISSUER_DN to locate the Service Provider's certificate in the keystore if it is not provided inline.
SAML_SP_ENCRYPT_ID
No
0
Specifies whether the Name ID in the generated assertion should be encrypted at the Service Provider site. By default, the Name ID is not encrypted.
Valid values: 0 (false) and 1 (true).
SAML_SP_ENCRYPT_KEY_ALGO
No
rsa-v15
The type of encryption key algorithm to use. Valid values:
SAML_SP_ENDTIME
No
None
The time by which an assertion must be generated.
Use the Perl time() method to help assign a time to this property. The time value is stored as a string. For example:
$SAML_SP_ENDTIME=SAML_SP_ENDTIME; $time=time() + 20; $serviceProvider->Property($SAML_SP_ENDTIME,"$time");
This property is used with SAML_SP_STARTTIME to define a time restriction for the generation of assertions.
Set SAML_SP_ENDTIME to 0 to end the time restriction immediately.
SAML_SP_IDP_SOURCEID
No
A hex-encoded SHA-1 hash of the SAML_SP_IDPID value
A hex-encoded 20-byte sequence identifier for the artifact issuer. This value uniquely identifies the artifact issuer in the assertion artifact.
The string length must be exactly 40 characters. Only a lower case hex string will be stored.
SAML_SP_IDPID
Yes
None
The provider ID of the Identity Provider that generates the assertions.
SAML_SP_IGNORE_REQ_AUTHNCONTEXT
No
0
Specifies that the Identity Provider ignore "RequestedAuthnContext" in an incoming AuthnRequest message (value of 1), or not (Value of 0).
SAML_SP_IPD_SERVICE_URL
Yes, if SAML_SP_ENABLE_IPD is 1
None
The host URL for the Identity Provider Discovery profile.
SAML_SP_NAMEID_ATTRNAME
Yes, if SAML_SP_NAMEID_TYPE is set to 1 (User Attribute) or 2 (DN Attribute)
None
One of the following values:
SAML_SP_NAMEID_DNSPEC
Yes, if SAML_SP_NAMEID_TYPE is set to 2 (DN Attribute)
None
A group or organizational unit DN used to obtain the associated Name ID attribute.
SAML_SP_NAMEID_FORMAT
No
Unspecified
The full URI for one of the following nameid-format values:
For example, the full URI for the default format Unspecified is:
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
For descriptions of these formats, see the following SAML 2.0 specification:
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
Note: If a SAML affiliation is specified in SAML_AFFILIATION, this and other SAML_SP_NAMEID... properties are not used. SiteMinder uses the NAMEID information in the specified affiliation.
SAML_SP_NAMEID_STATIC
Yes, if SAML_SP_NAMEID_TYPE is set to 0 (Static)
None
The static text to be used for all name identifiers.
SAML_SP_NAMEID_TYPE
No
1
The type of name identifier. Valid values:
SAML_SP_ONE_TIME_USE
No
False
Specifies whether the Assertion includes an element that indicates that the Assertion should be used only one time.
SAML_SP_PASSWORD
Yes, if SAML_ENABLE_SSO_ARTIFACT_BINDING is 1
None
The password to use for Service Provider access through the back channel.
SAML_SP_PERSISTENT_COOKIE
No
0
Specifies whether an Identity Provider Discovery profile cookie should be persistent.
Applies only if SAML_SP_ENABLE_IPD is 1.
Valid values: 0 (false) and 1 (true).
SAML_SP_PLUGIN_CLASS
No
None
The fully qualified Java class name of the assertion generator plug-in.
An assertion generator plugin allows the content of an assertion to be customized. For more information, see the SiteMinder Java API Documentation.
SAML_SP_PLUGIN_PARAMS
No
None
Any parameters to pass into the assertion generator plug-in specified in SAML_SP_PLUGIN_CLASS.
SAML_SP_REQUIRE_SIGNED_AUTHNREQUESTS
No
0
Specifies whether authentication requests must be signed.
Valid values: 0 (false) and 1 (true).
SAML_SP_REUSE_SESSION_INDEX
No
0
Description
Indicates whether SiteMinder sends the same session index in the assertion for the same partner in a single browser session. If a user federates multiple times with the same partner using the same browser window, setting this property tells the IdP to send the same session index in each assertion. The default value (0) for the property instructs SiteMinder to generate a new session index every time single sign-on occurs.
Valid values:
Do not reuse the same session index.
Reuse the same session index.
SAML_SP_SESSION_NOTORAFTER_TYPE
No
Use Assertion Validity
This property determines the value set for the SessionNotOnOrAfter parameter in the assertion. A third-party SP can use the value of the SessionNotOnOrAfter to set its own session timeout.
If SiteMinder is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, a SiteMinder SP sets session timeouts based on the realm timeout that corresponds to the configured SAML authentication scheme that protects the target resource.
Calculates the SessionNotOnOrAfter value based on the assertion validity duration.
Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion.
Calculates the SessionNotOnOrAfter value based on the IdP session timeout. The timeout is configured in the IdP realm for the authentication URL. Using this option can synchronize the IdP and SP session timeout values.
Lets you specify a custom value for the SessionNotOnOrAfter parameter. If you select this option, enter a time in the SAML_SP_CUSTOM_TIME_OUT property.
SAML_SP_STARTTIME
No
None
The time when a time restriction for generating an assertion becomes effective.
Use the Perl time() method to help assign a time to this property. The time value is stored as a string. For example:
$SAML_SP_STARTTIME=SAML_SP_STARTTIME; $time=time() + 10; $serviceProvider->Property($SAML_SP_STARTTIME,"$time");
This property is used with SAML_SP_ENDTIME to define a time restriction for the generation of assertions.
Set SAML_SP_STARTTIME to 0 to start the time restriction immediately.
SAML_SP_VALIDITY_DURATION
No
60
The number of seconds for which a generated assertion is valid.
The value provided must be a Strng representing a positive integer.
See also SAML_SKEWTIME.
SAML_SSOECPPROFILE
No
0
Specifies whether the Identity Provider or Service Provider supports SAML 2.0 Enhanced Client and Proxy profile requests.
Valid values: 0 (false) and 1 (true).
SAML2_CUSTOM_ENABLE_INVALID_REQUEST_URL
No
None
Specifies whether the custom error redirect process is enabled for an invalid request.
SAML2_CUSTOM_ENABLE_SERVER_ERROR_URL
No
None
Specifies whether the custom error redirect process is enabled for a server error.
SAML2_CUSTOM_ENABLE_INVALID_REQUEST_URL
No
None
Specifies whether the custom error redirect process is enabled for an invalid request.
SAML2_CUSTOM_INVALID_REQUEST_REDIRECT_MODE
No
None
Specifies the redirect mode for an invalid request. Valid values:
SAML2_CUSTOM_INVALID_REQUEST_REDIRECT_URL
No
None
Specifies the redirect URL for an invalid request.
SAML2_CUSTOM_SERVER_ERROR_REDIRECT_MODE
No
None
Specifies the redirect mode for an internal server error. Valid values:
SAML2_CUSTOM_SERVER_ERROR_REDIRECT_URL
No
None
Specifies the redirect URL for an internal server error .
SAML2_CUSTOM_UNAUTHORIZED_ACCESS_REDIRECT_MODE
No
None
Specifies the redirect mode for forbidden access. Valid values:
SAML2_CUSTOM_UNAUTHORIZED_ACCESS_REDIRECT_URL
No
None
Specifies the redirect URL for a forbidden access error.
This section provides the name, type, and description for each WS-Federation meatadata property.
The following properties are for defining a Resource Partner or for defining an Account Partner or for both.
WSFED_AP_ADD_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for an AD directory.
WSFED_AP_CUSTOM_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for a custom directory.
WSFED_AP_FAILURE_REDIRECT_MODE
Required
No
Type
0/1
Description
WSFED_AP_FAILURE_REDIRECT_URL
Required
No
Type
String
Description
Contains an optional redirect URL to be used when assertion processing has failed.
WSFED_APID
Required
Yes
Type
String
Description
The ID of the Account Partner.
WSFED_AP_INVALID_REDIRECT_MODE
Required
No
Type
0/1
Description
WSFED_AP_INVALID_REDIRECT_URL
Required
No
Type
String
Description
Contains an optional redirect URL to be used when the assertion is invalid.
WSFED_AP_LDAP_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for the LDAP directory.
WSFED_AP_ODBC_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for an ODBC directory.
WSFED_AP_PLUGIN_CLASS
Required
No
Type
String
Description
Name of the Java class that implements customization of assertion consumption.
WSFED_AP_PLUGIN_PARAMS
Required
No
Type
String
Description
Parameters of the Java class that implements customization of assertion consumption. All parameters are concatenated into one line.
WSFED_AP_SIGNOUT_URL
Required
No
Type
String
Description
Signout URL of the Account Partner. This property is required if WSFED_AP_SLO_ENABLED is true.
WSFED_AP_SLO_ENABLED
Required
No
Type
Boolean
Description
Indicates whether Signout is enabled for the Account Partner. If not supplied during Account Partner creation, this defaults to not enabled.
WSFED_AP_SSO_DEFAULT_SERVICE
Required
No
Type
String
Description
The default location of the Single Sign-on service.
WSFED_AP_SSO_REDIRECT_MODE
Required
No
Type
Int
Description
Redirect mode for assertion attributes. Valid values:
WSFED_AP_SSO_TARGET
Required
No
Type
String
Description
Target resource at the destination site.
WSFED_AP_USER_NOT_FOUND_REDIRECT_MODE
Required
No
Type
0/1
Description
WSFED_AP_USER_NOT_FOUND_REDIRECT_URL
Required
No
Type
String
Description
Contains an optional redirect to be used in either of the following cases:
WSFED_AP_WINNT_SEARCH_SPEC
Required
No
Type
String
Description
Search specification for a WinNT directory.
WSFED_AP_XPATH
Required
No
Type
String
Description
XPath query for disambiguating the principal.
WSFED_DESCRIPTION
Required
No
Type
String
Description
A brief description of the provider.
WSFED_DISABLE_SIGNATURE_PROCESSING
Required
No
Type
Boolean
Description
Specifies whether signature processing is disabled. This setting is useful during the initial setup of an Account Partner. When an Account Partner is up and running, this setting must be false to avoid security implications The default value is zero.
WSFED_DSIG_VERINFO_ALIAS
Required
No
Type
String
Description
Locates the certificate of the provider in the key store if it is not provided in-line.
WSFED_ENABLED
Required
No
Type
Bool
Description
Indicates whether the Resource Partner is enabled. If not provided, defaults to true. This property does not get stored physically to the property collections, but is used to enable underlying policy.
WSFED_ENFORCE_SINGLE_USE_POLICY
Required
No
Type
Boolean
Description
If set to a value of 1, the single-use policy for WS-Federation assertions will be enforced. If set to a value of 0, the single-use policy for assertions will not be enforced. The default is 1.
WSFED_KEY_APID
Required
Yes
Type
String
Description
Identifier for the Account Partner. This must be a URI less the 1024 characters long. In addition, this is the key with which properties associated with an Account Partner can be looked up.
WSFED_KEY_RPID
Required
Yes
Type
String
Description
The ID for the for the Resource Partner. This must be a URI less the 1024 characters long. In addition, this is the key with which the properties associated with a Resource Partner can be looked up.
WSFED_MAJOR_VERSION
Required
No
Type
Int
Description
Version of the WS-Federation protocol supported by this provider. The value of this property has to be 1.
WSFED_MINOR_VERSION
Required
No
Type
Int
Description
Version of WS-Federation protocol supported by this provider. The value of this property must be set to 0.
WSFED_NAME
Required
Yes
Type
String
Description
The name of the provider.
WSFED_RPID
Required
Yes
Type
String
Description
Identifier of the Resource Partner.
WSFED_RP_ASSERTION_CONSUMER_DEFAULT_URL
Required
Yes
Type
String
Description
The the URL of the default Assertion Consumer.
WSFED_RP_AUTHENTICATION_LEVEL
Required
No
Type
Int
Description
The principal must have authenticated in a realm by an authentication scheme of at least this level or greater. If not provided when the Resource Partner is created, the default is 5.
WSFED_RP_AUTHENTICATION_METHOD
Required
No
Type
String
Description
The authentication method to use in the assertion. This will typically be one of the authentication method values from the WS-Federation specification.
WSFED_RP_AUTHENTICATION_URL
Required
Yes
Type
String
Description
The protected URL used to authenticate Resource Partner users.
WSFED_RP_DOMAIN
Required
Yes
Type
OID
Description
The Resource Partner domain where this provider is defined.
WSFED_RP_ENDTIME
Required
No
Default
None
Description
The time by which an assertion must be generated.
Use the Perl time() method to help assign a time to this property. The time value is stored as a string. For example:
$WSFED_RP_ENDTIME=WSFED_RP_ENDTIME;
$time=time() + 20;
$ResourcePartner->Property($WSFED_RP_ENDTIME,"$time");
This property is used with WSFED_RP_STARTTIME to define a time restriction for the generation of assertions.
Set WSFED_RP_ENDTIME to 0 to end the time restriction immediately.
WSFED_RP_NAMEID_ALLOWED_NESTED
Required
No
Type
Boolean
Description
Indicates whether nested groups are allowed when selecting a DN attribute for the name identifer. The default is zero.
WSFED_RP_NAMEID_ATTR_NAME
Required
No
Type
String
Description
The attribute name (user or DN) that holds the name identifier when NameIdType is assigned to 1 or NameIdType is assigned to 2. If NameIdType is set to 1 or 2, then this property must had a value.
WSFED_RP_NAMEID_DN_SPEC
Required
No
Type
String
Description
The DN specification used when the NameIdType is assigned to 2. If NameIdType is assigned to 2, this property must have a value.
WSFED_RP_NAMEID_FORMAT
Required
No
Type
String
Description
The URI for a WS-Federation name identifier.
WSFED_RP_NAMEID_TYPE
Required
No
Type
Int
Description
One of the following types of name identifier:
WSFED_RP_NAMEID_STATIC
Required
No
Type
String
Description
The static text to be used as the name identifier when the NameIdType is assigned to 0. An error is returned if there is no value specified for this property and NameIdType is assigned to 0.
WSFED_RP_PLUGIN_CLASS
Required
No
Type
String
Description
The fully-qualified Java class name for the Assertion Generator plug-in.
WSFED_RP_PLUGIN_PARAMS
Required
No
Type
String
Description
The parameters passed to the Assertion Generator plug-in.
WSFED_RP_SIGNOUT_CLEANUP_URL
Required
No
Type
String
Description
Signout cleanup URL of the Resource Partner. This property is required if Signout is enabled.
WSFED_RP_SIGNOUT_CONFIRM_URL
Required
No
Type
String
Description
The URL where the user is redirected when Sign-out is complete and if the request does not have a reply query parameter. Even though this property is part of the Resource Partner object, it is the URL that the user is redirected to when Signout at the Account Partner is complete. If there are multiple Resource Partners available, then the Signout Confirm URL of the last Resource Partner is used. The default is disabled.
WSFED_RP_SLO_ENABLED
Required
No
Type
Boolean
Description
Indicates whether Signout is enabled for the Resource Partner.
WSFED_RP_STARTTIME
Required
No
Default
None
Description
The time when a time restriction for generating an assertion becomes effective.
Use the Perl time() method to help assign a time to this property. The time value is stored as a string. For example:
$WSFED_RP__STARTTIME=WSFED_RP_STARTTIME;
$time=time() + 10;
$ResourcePartner->Property($WSFED_RP_STARTTIME,"$time");
This property is used with WSFED_RP_ENDTIME to define a time restriction for the generation of assertions.
Set WSFED_RP_STARTTIME to 0 to start the time restriction immediately.
WSFED_RP_VALIDITY_DURATION
Required
No
Type
Integer
Description
The number of seconds for which a generated assertion is valid. If not provided when the Resource Partner is created, the default is 60 seconds.
WSFED_SAML_MAJOR_VERSION
Required
No
Type
Integer
Description
The version of the SAML protocol supported by this provider. The value is 1.
WSFED_SAML_MINOR_VERSION
Required
No
Type
Integer
Description
The version of the SAML protocol supported by this provider. The value is 1.
WSFED_SKEW_TIME
Required
No
Type
String
Description
The skew time between the consumer and the producer side in seconds. This value is used to calculate validity duration of assertions and of Signout requests. The default value is 30.
|
Copyright © 2012 CA.
All rights reserved.
|
|