Access Management 7.3.2

Create and configure the Fedlet

An AM Fedlet is a small web application that makes it easy to add SAML v2.0 service provider (SP) capabilities to your Java web application.

The full AM distribution file, AM-7.3.2.zip, includes the Java Fedlet package, Fedlet-7.3.2.zip, that you can use as the basis of your Fedlet. This section covers how to configure a Java Fedlet using that distribution, by editing the circle of trust, Java properties, and IDP and SP XML configuration templates.

The high-level steps are:

  • Determine the roles that the IDP(s) and Fedlet play in SAML v2.0 Circles of Trust.

  • Unpack the Fedlet from the full AM distribution ZIP file to access the Fedlet WAR file and template configuration files.

  • Prepare the Fedlet configuration, including setting up a configuration directory and keystore if needed.

  • Obtain SAML v2.0 metadata configuration files from the IDP(s), and add them to the Fedlet configuration.

  • Finish preparing the Fedlet configuration by editing the remaining Fedlet template configuration files.

  • Share the Fedlet SAML v2.0 configuration files with the IDP(s).

    An IDP relies on the standard SAML v2.0 metadata to communicate with the Fedlet.

  • Deploy and test the Fedlet.

Contents of the Java Fedlet distribution ZIP file

Unpack the Java Fedlet distribution ZIP file into a working directory:

$ mkdir fedlet && cd fedlet
$ unzip ../Fedlet-7.3.2.zip

The Fedlet-7.3.2.zip file contains the following files:

fedlet.war

This file contains a Java Fedlet web application that serves as an example, and that you can embed in your applications.

README

This file describes Fedlet features.

conf/

This folder contains the Fedlet configuration templates that you edit as appropriate for your deployment.

When editing the templates, place copies of the files in the Fedlet home directory on the system where you deploy the Fedlet. By default the Fedlet home directory is user.home/uri, where user.home is the value of the Java system property user.home for the user running the web container where you deploy the Fedlet, and uri is the path of the URI where you deploy the Fedlet, such as /fedlet.

For example, if user.home is the /home/user folder, that user could have a /home/user/fedlet folder for Fedlet configuration files:

$ mkdir ~/fedlet

To change the location, set the system property com.sun.identity.fedlet.home when starting the container where the Fedlet runs:

$ java -Dcom.sun.identity.fedlet.home=/path/to/fedlet/conf …​
conf/FederationConfig.properties

This file defines settings for the Fedlet as a web application. It does not address the SAML v2.0 configuration.

For more about this file, see Configuring Java Fedlet Properties.

conf/fedlet.cot-template

This template defines settings for a SAML v2.0 circle of trust to which the Fedlet belongs, and should be named fedlet.cot after configuration.

For more about this file, see Configure circles of trust.

conf/idp.xml (not provided)

The idp.xml file is standard SAML v2.0 metadata that describes the IDP configuration.

Templates for other SAML v2.0 configuration files are provided, but no idp.xml template file is provided.

Instead you must obtain the SAML v2.0 metadata from the IDP, and add it as an idp.xml file here, alongside the other SAML v2.0 configuration files. How you obtain this file from the IDP depends on the IDP implementation.

To obtain this information from an AM instance, see To Create a Hosted Entity Provider.

conf/idp-extended.xml-template

This template holds extended SAML v2.0 IDP settings that AM uses, and should be named idp-extended.xml after configuration.

For more about this file, see Configure the identity providers.

conf/sp.xml-template

This template describes standard SAML v2.0 SP settings, and should be named sp.xml after configuration.

For more about this file, see Configure the service providers.

conf/sp-extended.xml-template

This template describes extended SAML v2.0 SP settings that the Fedlet uses, and should be named sp-extended.xml after configuration.

For more about this file, see Configure the service providers.

To configure a Fedlet, make copies of the template files listed above, configure the necessary properties and values, and provide the resulting files to the person administering the SP, ready to deploy. See Deploy and test the Fedlet on the SP.

Configuring Java Fedlet Properties

File: FederationConfig.properties

The Java Fedlet to configure by hand includes a FederationConfig.properties file that defines settings for the Fedlet as a web application. The configuration for a single Java Fedlet includes only one FederationConfig.properties file, regardless of how many IDP and SP configurations are involved. This file does not address the SAML v2.0 configuration.

When configured this file contains sensitive properties such as the value of am.encryption.pwd. Make sure it is readable only by the user running the Fedlet application.

Deployment URL settings

The following settings define the Fedlet deployment URL.

com.iplanet.am.server.protocol

Set this to the protocol portion of the URL, such as HTTP or HTTPS.

com.iplanet.am.server.host

Set this to the host portion of the URL, such as www.sp.com.

com.iplanet.am.server.port

Set this to the port portion of the URL, such as 80, 443, 8080, or 8443.

com.iplanet.am.services.deploymentDescriptor

Set this to path portion of the URL, starting with a /, such as /fedlet.

Log and Statistics Settings

The following settings define the Fedlet configuration for logging and monitoring statistics.

com.iplanet.am.logstatus

This sets whether the Fedlet actively writes debug log files.

Default: ACTIVE

com.iplanet.services.debug.level

This sets the debug log level.

The following settings are available, in order of increasing verbosity:

  1. off

  2. error

  3. warning

  4. message

Default: message

com.iplanet.services.debug.directory

This sets the location of the debug log folder.

Trailing spaces in the file names are significant. Even on Windows systems, use slashes to separate directories.

Examples: /home/user/fedlet/debug, C:/fedlet/debug

com.iplanet.am.stats.interval

This sets the interval at which statistics are written, in seconds.

The shortest interval supported is 5 seconds. Settings less than 5 (seconds) are taken as 5 seconds.

Default: 60

com.iplanet.services.stats.state

This sets how the Fedlet writes monitoring statistics.

The following settings are available:
off
console (write to the container logs)
file (write to Fedlet stats logs)

Default: file

com.iplanet.services.stats.directory

This sets the location of the stats file folder.

Trailing spaces in the file names are significant. Even on Windows systems, use slashes to separate directories.

Examples: /home/user/fedlet/stats, C:/fedlet/stats

Public and private key settings

The following settings define settings for access to certificates and private keys used in signing and encryption.

Other sections in this guide explain how to configure a Fedlet for signing and encryption including how to work with the keystores that these settings reference, and how to specify public key certificates in standard SAML v2.0 metadata. When working with a Java Fedlet, see Enable signing and encryption in a Fedlet.

com.sun.identity.saml.xmlsig.keystore

This sets the path to the keystore file that holds public key certificates of IDPs and key pairs for the Fedlet.

For hints on generating a keystore file with a key pair, see Change default key aliases.

Example: @FEDLET_HOME@/keystore.jceks

com.sun.identity.saml.xmlsig.storepass

This sets the path to the file that contains the keystore password encoded by using the symmetric key set as the value of am.encryption.pwd.

When creating the file, encode the cleartext password by using your own test copy (not a production version) of AM.

  • In the AM admin UI, go to Deployment > Servers > Server Name > Security > Encryption, and set the Password Encryption Key to your symmetric key.

    Do not do this in a production system where the existing symmetric key is already in use!

  • Switch to the encode.jsp page, such as https://openam.example.com:8443/openam/encode.jsp, enter the cleartext password to encode with your symmetric key, and select Encode.

  • Copy the encoded password to your file.

Example: @FEDLET_HOME@/.storepass

com.sun.identity.saml.xmlsig.keypass

This sets the path to the file that contains the private key password encoded by using the symmetric key set as the value of am.encryption.pwd.

To encode the cleartext password, follow the same steps for the password used when setting com.sun.identity.saml.xmlsig.storepass.

Example: @FEDLET_HOME@/.keypass

com.sun.identity.saml.xmlsig.certalias

This sets the alias of the Fedlet’s public key certificate.

Example: fedlet-cert

com.sun.identity.saml.xmlsig.storetype

The sets the type of keystore.

Default: JKS (JCEKS is recommended.)

am.encryption.pwd

This sets the symmetric key that used to encrypt and decrypt passwords.

Example: uu4dHvBkJJpIjPQWM74pxH3brZJ5gJje

Alternative implementation settings

The Java Fedlet properties file includes settings that let you plug in alternative implementations of Fedlet capabilities. You can safely use the default settings, as specified in the following list. The list uses the same order for the keys you find in the file.

com.sun.identity.plugin.configuration.class

Default: com.sun.identity.plugin.configuration.impl.FedletConfigurationImpl

com.sun.identity.plugin.datastore.class.default

Default: com.sun.identity.plugin.datastore.impl.FedletDataStoreProvider

com.sun.identity.plugin.log.class

Default: com.sun.identity.plugin.log.impl.FedletLogger

com.sun.identity.plugin.session.class

Default: com.sun.identity.plugin.session.impl.FedletSessionProvider

com.sun.identity.plugin.monitoring.agent.class

Default: com.sun.identity.plugin.monitoring.impl.FedletAgentProvider

com.sun.identity.plugin.monitoring.saml2.class

Default: com.sun.identity.plugin.monitoring.impl.FedletMonSAML2SvcProvider

com.sun.identity.plugin.monitoring.idff.class

Default: com.sun.identity.plugin.monitoring.impl.FedletMonIDFFSvcProvider

com.sun.identity.saml.xmlsig.keyprovider.class

Default: com.sun.identity.saml.xmlsig.JKSKeyProvider

Despite the name, this provider supports JCEKS keystores.

com.sun.identity.saml.xmlsig.signatureprovider.class

Default: com.sun.identity.saml.xmlsig.AMSignatureProvider

com.sun.identity.common.serverMode

Default: false

com.sun.identity.webcontainer

Default: WEB_CONTAINER

com.sun.identity.saml.xmlsig.passwordDecoder

Default: com.sun.identity.fedlet.FedletEncodeDecode

com.iplanet.services.comm.server.pllrequest.maxContentLength

Default: 16384

com.iplanet.security.SecureRandomFactoryImpl

Default: com.iplanet.am.util.SecureRandomFactoryImpl

com.iplanet.security.SSLSocketFactoryImpl

Default: com.sun.identity.shared.ldap.factory.JSSESocketFactory

com.iplanet.security.encryptor

Default: com.iplanet.services.util.JCEEncryption

com.sun.identity.jss.donotInstallAtHighestPriority

Default: true

com.iplanet.services.configpath

Default: @BASE_DIR@

Configure circles of trust

File: fedlet.cot

This file defines settings for a SAML v2.0 circle of trust. The Fedlet belongs to at least one circle of trust.

Configure a circle of trust with a single IDP

When the Fedlet is involved in only a single circle of trust with one IDP and the Fedlet as an SP, the only settings to change are cot-name and sun-fm-trusted-providers.

  1. Save a copy of the template as a fedlet.cot file in the configuration folder, as in the following example:

    $ cp ~/Downloads/fedlet/conf/fedlet.cot-template ~/fedlet/fedlet.cot
  2. Set cot-name to the name of the circle of trust.

  3. Set sun-fm-trusted-providers to a comma-separated list of the entity names for the IDP and SP.

    For example, if the IDP is AM with entity ID https://openam.example.com:8443/openam and the SP is the Fedlet with entity ID https://sp.example.net:8443/fedlet, then set the property as follows:

    sun-fm-trusted-providers=https://openam.example.com:8443/openam,https://sp.example.net:8443/fedlet

Configure a circle of trust with multiple IDPs

When the circle of trust involves multiple IDPs, use the Fedlet in combination with the AM IDP Discovery service.

For this to work, the IDPs must be configured to use IDP discovery, and users must have preferred IDPs.

  1. Set up the AM IDP Discovery service.

  2. Configure the circle of trust as described in Configure a circle of trust with a single IDP, but specifying multiple IDPs, including the IDP that provides the IDP Discovery service.

  3. Set the sun-fm-saml2-readerservice-url and the sun-fm-saml2-writerservice-url properties as defined for the IDP Discovery service.

Configure multiple circles of trust

This procedure concerns deployments where the Fedlet participates as SP in multiple Circles of Trust, each involving their own IDP.

  1. For each circle of trust, save a copy of the template in the configuration folder.

    The following example involves two circles of trust:

    $ cp ~/Downloads/fedlet/conf/fedlet.cot-template ~/fedlet/fedlet.cot
    $ cp ~/Downloads/fedlet/conf/fedlet.cot-template ~/fedlet/fedlet2.cot
  2. Set up IDP XML files for each IDP as described in Configure the identity providers.

  3. For each circle of trust, set up the cot file as described in Configure a circle of trust with a single IDP.

  4. In the extended SP XML file described in Configure the identity providers, set the Attribute element with name cotlist to include values for all circles of trust. The values are taken from the cot-name settings in the cot files.

    The following example works with two circles of trust, cot and cot2.

    <Attribute name="cotlist">
        <Value>cot</Value>
        <Value>cot2</Value>
    </Attribute>

    The same Attribute element is also available in extended IDP XML files for cases where an IDP belongs to multiple circles of trust.

Configure the identity providers

Files: idp.xml, idp-extended.xml

As described in Contents of the Java Fedlet distribution ZIP file, the IDP provides its standard SAML v2.0 metadata as XML, which you save in the configuration folder as a idp.xml file. If the IDP uses AM, the IDP can also provide extended SAML v2.0 metadata as XML, which you save in the configuration folder as a idp-extended.xml file, rather than using the template for extended information.

If you have multiple identity providers, then number the configuration files, as in idp.xml, idp2.xml, idp3.xml, and also idp-extended.xml, idp2-extended.xml, idp3-extended.xml, and so on.

Identity Provider Standard XML

This section covers the configuration in the idp.xml file. The idp.xml file contains standard SAML v2.0 metadata for an IDP in a circle of trust that includes the Fedlet as SP. The IDP provides you the content of this file.

If the IDP uses AM then the administrator can export the metadata by using either the ssoadm create-metadata-templ command or the /saml2/jsp/exportmetadata.jsp endpoint under the AM deployment URL.

If the IDP uses an implementation different from AM, see the documentation for details on obtaining the standard metadata. The standard, product-independent metadata are covered in Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. The standard XML namespace describing the XML document has identifier urn:oasis:names:tc:SAML:2.0:metadata. An XML schema description for this namespace is found online at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.

Identity Provider Extended XML

This section covers the configuration in the idp-extended.xml file. Most extended metadata are specific to the AM implementation of SAML v2.0. If the IDP runs AM, have the IDP provide the extended metadata exported by using the ssoadm create-metadata-templ command. This section covers only the basic settings relative to all IDPs.

The extended metadata file describes an EntityConfig element, defined by the namespace with the identifier urn:sun:fm:SAML:2.0:entityconfig. The XML schema definition is described in the entity-config-schema.xsd file, available as part of the AM source code, though not included in the AM WAR file.

The unconfigured Fedlet includes a template file, conf/idp-extended.xml-template. This extended metadata template for the IDP requires that you edit at least the IDP_ENTITY_ID and fedletcot values to reflect the IDP entity ID used in the standard metadata and the circle of trust name defined in the fedlet.cot file, respectively. The hosted attribute on the EntityConfig element must remain set to hosted="0", meaning that the IDP is remote. The IDP is likely to play at least the role of single sign-on identity provider, though the namespace defines elements for the attribute authority and policy decision point roles shown in the template, as well as the others defined in the standard governing SAML v2.0 metadata.

The extended metadata file is essentially a series of XML maps of key-value pairs specifying IDP configuration for each role. All role-level elements can take a metaAlias attribute that the Fedlet uses when communicating with the IDP. Each child element of a role element defines an Attribute whose name is the key. Each Attribute element can contain multiple Value elements. The Value elements' contents comprise the values for the key. All values are strings, sometimes with a format that is meaningful to AM. The basic example in the IDP template shows the minimal configuration for the single sign-on IDP role.

In the following example, the description is empty and the name of the circle of trust is fedletcot.

<IDPSSOConfig>
   <Attribute name="description">
     <Value/>
   </Attribute>
   <Attribute name="cotlist">
     <Value>fedletcot</Value>
   </Attribute>
</IDPSSOConfig>
<AttributeAuthorityConfig>
   <Attribute name="cotlist">
     <Value>fedletcot</Value>
   </Attribute>
</AttributeAuthorityConfig>
<XACMLPDPConfig>
   <Attribute name="wantXACMLAuthzDecisionQuerySigned">
     <Value></Value>
   </Attribute>
   <Attribute name="cotlist">
     <Value>fedletcot</Value>
   </Attribute>
</XACMLPDPConfig>

When functioning as IDP, AM can take many other Attribute values. These are implementation dependent. You can obtain the extended metadata from AM by using the ssoadm create-metadata-templ subcommand.

Custom authentication contexts can be loaded and saved when they are loaded via ssoadm as part of the hosted IDP/SP extended metadata and the saves are made in the AM admin UI. Any custom contexts loaded via ssoadm are also visible in the AM admin UI.

For example, you can specify custom entries in the idpAuthncontextClassrefMapping element of the extended metadata for a hosted IDP as follows:

<Attribute name="idpAuthncontextClassrefMapping">
  <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\|1\|\|default</Value>
  <Value>http://idmanagement.gov/ns/assurance/loa/4\|4\|\|</Value>
  <Value>http://idmanagement.gov/ns/assurance/loa/3\|3\|\|</Value>
  <Value>http://idmanagement.gov/ns/assurance/loa/2\|2\|\|</Value>
  <Value>http://idmanagement.gov/ns/assurance/loa/1\|1\|\|</Value>
</Attribute>

Identity provider extended XML: IDPSSOConfig settings

This section covers elements for the IDP single sign-on role, arranged in the order they appear in the template.

description

Description of the file.

cotlist

Specifies the circle of trust(s) to which the provider belongs.

Default: fedletcot

Configure the service providers

Files: sp.xml, sp-extended.xml

As mentioned in Contents of the Java Fedlet distribution ZIP file, the Fedlet SAML v2.0 configuration is defined in two XML files, the standard metadata in a sp.xml file and the extended metadata in a sp-extended.xml file.

If the Fedlet has multiple service provider personalities, then number the configuration files, as in sp.xml, sp2.xml, sp3.xml, and also sp-extended.xml, sp2-extended.xml, sp3-extended.xml, and so on.

Service provider standard XML

This section covers the configuration in the sp.xml file. The sp.xml file contains standard SAML v2.0 metadata for the Fedlet as SP. If you edit the standard metadata, make sure that you provide the new version to your IDP, as the IDP software relies on the metadata to get the Fedlet’s configuration.

The standard metadata are covered in Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. The standard XML namespace describing the XML document has identifier urn:oasis:names:tc:SAML:2.0:metadata. An XML schema description for this namespace is found online at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.

A standard metadata file describes the SAML v2.0 roles that the Fedlet plays. The default base element of the file is an EntityDescriptor, which is a container for role descriptor elements. The EntityDescriptor element can therefore contain multiple role descriptor elements. The namespace for the standard metadata document is urn:oasis:names:tc:SAML:2.0:metadata. You can get the corresponding XML schema description online at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd. In general, you can find standard SAML v2.0-related XML schema definitions at http://docs.oasis-open.org/security/saml/v2.0/.

Fedlets do not support all arbitrary SP configurations. As lightweight service provider components, Fedlets are built to play the SP role in web single sign-on and single logout, to perform attribute queries and XACML policy decision requests, and to work with multiple IDPs including circles of trust with an IDP discovery service. For a list of what Fedlets support, see the table Fedlet Support for SAML v2.0 Features.

When preparing a standard SP metadata file, follow these suggestions.

  • Start either with an existing example or with the template file, conf/sp.xml-template.

  • When using the template, replace the following placeholders.

    FEDLET_ENTITY_ID

    The Fedlet entity ID used when communicating with the IDP.

    AM often uses the deployment URL as the entity ID, though that is a convention rather than a requirement.

    FEDLET_PROTOCOL

    The Fedlet deployment protocol (http, https)

    FEDLET_HOST

    The Fedlet deployment host name

    FEDLET_PORT

    The Fedlet deployment port number

    FEDLET_DEPLOY_URI

    The Fedlet application deployment path

  • Add and edit role elements as children depending on the roles the Fedlet plays as described in the following sections.

Single Sign-On and Logout: SPSSODescriptor Element

Add an SPSSODescriptor element to play the SP role in web single sign-on and logout. An SPSSODescriptor element has attributes specifying whether requests and assertion responses should be digitally signed.

  • The AuthnRequestsSigned attribute indicates whether the Fedlet signs authentication requests.

    If you set the AuthnRequestsSigned attribute to true, then you must also configure the SPSSODescriptor element to allow the Fedlet to sign requests. For details see the section on Enable signing and encryption in a Fedlet.

  • The WantAssertionsSigned attribute indicates whether the Fedlet requests signed assertion responses from the IDP.

An SPSSODescriptor element’s children indicate what name ID formats the Fedlet supports, and where the IDP can call the following services on the Fedlet.

  • The AssertionConsumerService elements specify endpoints that support the SAML Authentication Request protocols.

    You must specify at least one of these. The template specifies two, with the endpoint supporting the HTTP POST binding as the default.

  • The optional SingleLogoutService elements specify endpoints that support the SAML Single Logout protocols.

Service Provider Extended XML

This section covers the configuration in the sp-extended.xml file. The extended metadata are specific to the AM implementation of SAML v2.0.

The extended metadata file describes an EntityConfig element, defined by the namespace with the identifier urn:sun:fm:SAML:2.0:entityconfig. The XML schema definition is described in the entity-config-schema.xsd file, available as part of the AM source code, though not included with the unconfigured Fedlet.

The unconfigured Fedlet does include a template file, conf/sp-extended.xml-template. This extended metadata template for the IDP requires that you edit at least the FEDLET_ENTITY_ID placeholder value, the appLogoutUrl attribute value in the SPSSOConfig element, and the fedletcot values. The FEDLET_ENTITY_ID value must reflect the SP entity ID used in the standard metadata. For the single logout profile, the appLogoutUrl attribute value must match the Fedlet URL based on the values used in the FederationConfig.properties file. The fedletcot values must correspond to the circle of trust name defined in the fedlet.cot file.

The hosted attribute on the EntityConfig element must remain set to hosted="1", meaning that the SP is hosted (local to the Fedlet). If you provide a copy of the file to your IDP running AM, however, then set hosted="0" for the IDP, as the Fedlet is remote to the IDP.

The extended metadata file is essentially a series of XML maps of key-value pairs specifying IDP configuration for each role. All role-level elements can take a metaAlias attribute that the Fedlet uses when communicating with the IDP. Each child element of a role element defines an Attribute whose name is the key. Each Attribute element can contain multiple Value elements. The Value elements' contents comprise the values for the key. All values are strings, sometimes with a format that is meaningful to the Fedlet. The basic example in the SP template shows the configuration options, documented in the following lists.

Service Provider Extended XML: SPSSOConfig Settings

This section covers elements for the SP single sign-on role, arranged in the order they appear in the template.

description

Human-readable description of the Fedlet in the SP single sign-on role

signingCertAlias

Alias of the public key certificate for the key pair used when signing messages to the IDP

The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.

encryptionCertAlias

Alias of the public key certificate for the key pair used when encrypting messages to the IDP

The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.

basicAuthOn

Set this to true to use HTTP Basic authorization with the IDP.

Default: false

basicAuthUser

When using HTTP Basic authorization with the IDP, this value is the user name.

basicAuthPassword

When using HTTP Basic authorization with the IDP, this value is the password.

Encrypt the password using the encode.jsp page of your test copy of AM that you might also have used to encode keystore passwords as described in Public and private key settings.

autofedEnabled

Set this to true to enable automatic federation with AM based on the value of a profile attribute that is common to user profiles both in AM and in the Fedlet’s context.

Default: false

autofedAttribute

When automatic federation is enabled, set this to the name of the user profile attribute used for automatic federation.

transientUser

Use this effective identity for users with transient identifiers.

Default: anonymous

spAdapter

Class name for a plugin service provider adapter

This class must extend com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter.

spAdapterEnv

When using a plugin service provider adapter, this attribute’s values optionally take a map of settings key=value used to initialize the plugin.

fedletAdapter

Class name for an alternate fedlet adapter. Default is an empty value.

fedletAdapterEnv

When using an alternate fedlet adapter, this attribute’s values optionally take a map of settings key=value used to initialize the plugin.

spAccountMapper

Class name for an implementation mapping SAML protocol objects to local user profiles

Default: com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper

spAttributeMapper

Class name for an implementation mapping SAML assertion attributes to local user profile attributes

Default: com.sun.identity.saml2.plugins.DefaultSPAttributeMapper

spAuthncontextMapper

Class name for an implementation determining the authentication context to set in an authentication request, and mapping the authentication context to an authentication level

Default: com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper

spAuthncontextClassrefMapping

String defining how the SAML authentication context classes map to authentication levels and indicate the default context class

Format: authnContextClass|authLevel[|default]

Default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default

spAuthncontextComparisonType

How to evaluate authentication context class identifiers.

exact

Assertion context must exactly match a context in the list

minimum

Assertion context must be at least as strong as a context in the list

maximum

Assertion context must be no stronger than a context in the list

better

Assertion context must be stronger than all contexts in the list

Default: exact

attributeMap

Map of SAML assertion attributes to local user profile attributes

Default: *=*

saml2AuthModuleName

Name of an alternative SAML v2.0 authentication module

localAuthURL

URL to a login page on the Fedlet side

Use this to override the Assertion Consumer Service URL from the standard metadata when consuming assertions.

intermediateUrl

URL to an intermediate page returned before the user accesses the final protected resource

defaultRelayState

If no RelayState is specified in a SAML request, redirect to this URL after successful single sign-on.

URL-encode the defaultRelayState value.

appLogoutUrl

One or more Fedlet URLs that initiate single logout

Replace the placeholders in the default with the values for your Fedlet.

Default: FEDLET_PROTOCOL://FEDLET_HOST:FEDLET_PORT/FEDLET_DEPLOY_URI/logout

assertionTimeSkew

Tolerate clock skew between the Fedlet and the IDP of at most this number of seconds

Default: 300

wantAttributeEncrypted

Set to true to request that the IDP encrypt attributes in the response

wantAssertionEncrypted

Set to true to request that the IDP encrypt the SAML assertion in the response

wantNameIDEncrypted

Set to true to request that the IDP encrypt the name ID in the response

wantPOSTResponseSigned

Set to true to request that the IDP sign the response when using HTTP POST

wantArtifactResponseSigned

Set to true to request that the IDP sign the response when using HTTP Artifact

wantLogoutRequestSigned

Set to true to request that the IDP sign single logout requests

wantLogoutResponseSigned

Set to true to request that the IDP sign single logout responses

wantMNIRequestSigned

Set to true to request that the IDP manage name ID requests

wantMNIResponseSigned

Set to true to request that the IDP manage name ID responses

cotlist

Set this to the circle of trust name used in Configure circles of trust.

Default: fedletcot

saeAppSecretList

When using Secure Attribute Exchange with AM this represents the Application Security Configuration settings.

Values take the format url=FedletURL|type=symmetric|secret=EncodedSharedSecret[|encryptionalgorithm=EncAlg|encryptionkeystrength=EncStrength] or url=FedletURL|type=asymmetric|privatekeyalias=FedletSigningCertAlias[|encryptionalgorithm=EncAlg|encryptionkeystrength=EncStrength|pubkeyalias=FedletPublicKeyAlias]

You can omit the privatekeyalias setting if the signing certifcate is specified in the standard metadata.

saeSPUrl

When using Secure Attribute Exchange (SAE) with AM this is the Fedlet URL that handles SAE requests. If this is omitted, then SAE is not enabled.

saeSPLogoutUrl

When using Secure Attribute Exchange with AM this is the Fedlet URL that handles SAE global logout requests.

ECPRequestIDPListFinderImpl

When using the Enhanced Client and Proxy profile this is the class name for the implementation that returns a list of preferred IDPs trusted by the ECP.

Default: com.sun.identity.saml2.plugins.ECPIDPFinder

ECPRequestIDPList

When using the Enhanced Client and Proxy profile this is the list of IDPs for the ECP to contact.

When not specified the list finder implementation is used.

enableIDPProxy

Set this to true to enable IDP proxy functionality.

Default: false

idpProxyList

A list of preferred IDPs that the Fedlet can proxy to

idpProxyCount

Number of IDP proxies that the Fedlet can have

Default: 0

useIntroductionForIDPProxy

Set this to true to pick a preferred IDP based on a SAML v2.0 introduction cookie.

Default: false

Service Provider Extended XML: AttributeQueryConfig Settings

This section covers elements for the Attribute Requester role, arranged in the order they appear in the template.

signingCertAlias

Alias of the public key certificate for the key pair used when signing messages to the IDP

The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.

encryptionCertAlias

Alias of the public key certificate for the key pair used when encrypting messages to the IDP

The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.

wantNameIDEncrypted

Set to true to request that the IDP encrypt the name ID

cotlist

Set this to the circle of trust name used in Configure circles of trust.

Default: fedletcot

Service Provider Extended XML: XACMLAuthzDecisionQueryConfig Settings

This section covers elements for the XACML decision requester role, enabling the Fedlet to act as a Policy Enforcement Point, arranged in the order they appear in the template.

signingCertAlias

Alias of the public key certificate for the key pair used when signing messages to the IDP

The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.

encryptionCertAlias

Alias of the public key certificate for the key pair used when encrypting messages to the IDP

The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.

basicAuthOn

Set to true to use HTTP Basic authorization when contacting the Policy Decision Provider

Default: false

basicAuthUser

When using Basic authorization to contact the Policy Decision Provider, use this value as the username

basicAuthPassword

When using Basic authorization to contact the Policy Decision Provider, use this value as the password

Encrypt the password using the encode.jsp page of your test copy of AM that you might also have used to encode keystore passwords as described in Public and private key settings.

wantXACMLAuthzDecisionResponseSigned

Set this to true to request that the Policy Decision Provider sign the XACML response

wantAssertionEncrypted

Set this to true to request that the Policy Decision Provider encrypt the SAML assertion response

cotlist

Set this to the circle of trust name used in Configure circles of trust.

Default: fedletcot