Create and configure the Fedlet
An AM Fedlet is a small web application that makes it easy to add SAML v2.0 service provider (SP) capabilities to your Java web application.
The full AM distribution file, AM-7.5.1.zip
,
includes the Java Fedlet package, Fedlet-7.5.1.zip
, that you can use as the basis of your Fedlet.
This section covers how to configure a Java Fedlet using that distribution,
by editing the circle of trust, Java properties, and IDP and SP XML configuration templates.
The high-level steps are:
-
Determine the roles that the IDP(s) and Fedlet play in SAML v2.0 Circles of Trust.
-
Unpack the Fedlet from the full AM distribution ZIP file to access the Fedlet WAR file and template configuration files.
-
Prepare the Fedlet configuration, including setting up a configuration directory and keystore if needed.
-
Obtain SAML v2.0 metadata configuration files from the IDP(s), and add them to the Fedlet configuration.
-
Finish preparing the Fedlet configuration by editing the remaining Fedlet template configuration files.
-
Share the Fedlet SAML v2.0 configuration files with the IDP(s).
An IDP relies on the standard SAML v2.0 metadata to communicate with the Fedlet.
-
Deploy and test the Fedlet.
Contents of the Java Fedlet distribution ZIP file
Unpack the Java Fedlet distribution ZIP file into a working directory:
$ mkdir fedlet && cd fedlet
$ unzip ../Fedlet-7.5.1.zip
The Fedlet-7.5.1.zip
file contains the following files:
fedlet.war
-
This file contains a Java Fedlet web application that serves as an example, and that you can embed in your applications.
README
-
This file describes Fedlet features.
conf/
-
This folder contains the Fedlet configuration templates that you edit as appropriate for your deployment.
When editing the templates, place copies of the files in the Fedlet home directory on the system where you deploy the Fedlet. By default the Fedlet home directory is
user.home/uri
, where user.home is the value of the Java system propertyuser.home
for the user running the web container where you deploy the Fedlet, and uri is the path of the URI where you deploy the Fedlet, such as/fedlet
.For example, if user.home is the
/home/user
folder, that user could have a/home/user/fedlet
folder for Fedlet configuration files:$ mkdir ~/fedlet
To change the location, set the system property
com.sun.identity.fedlet.home
when starting the container where the Fedlet runs:$ java -Dcom.sun.identity.fedlet.home=/path/to/fedlet/conf …
conf/FederationConfig.properties
-
This file defines settings for the Fedlet as a web application. It does not address the SAML v2.0 configuration.
For more about this file, see Configuring Java Fedlet Properties.
conf/fedlet.cot-template
-
This template defines settings for a SAML v2.0 circle of trust to which the Fedlet belongs, and should be named
fedlet.cot
after configuration.For more about this file, see Configure circles of trust.
conf/idp.xml
(not provided)-
The
idp.xml
file is standard SAML v2.0 metadata that describes the IDP configuration.Templates for other SAML v2.0 configuration files are provided, but no
idp.xml
template file is provided.Instead you must obtain the SAML v2.0 metadata from the IDP, and add it as an
idp.xml
file here, alongside the other SAML v2.0 configuration files. How you obtain this file from the IDP depends on the IDP implementation.To obtain this information from an AM instance, see To Create a Hosted Entity Provider.
conf/idp-extended.xml-template
-
This template holds extended SAML v2.0 IDP settings that AM uses, and should be named
idp-extended.xml
after configuration.For more about this file, see Configure the identity providers.
conf/sp.xml-template
-
This template describes standard SAML v2.0 SP settings, and should be named
sp.xml
after configuration.For more about this file, see Configure the service providers.
conf/sp-extended.xml-template
-
This template describes extended SAML v2.0 SP settings that the Fedlet uses, and should be named
sp-extended.xml
after configuration.For more about this file, see Configure the service providers.
To configure a Fedlet, make copies of the template files listed above, configure the necessary properties and values, and provide the resulting files to the person administering the SP, ready to deploy. See Deploy and test the Fedlet on the SP.
Configuring Java Fedlet Properties
File: FederationConfig.properties
The Java Fedlet to configure by hand includes a FederationConfig.properties
file
that defines settings for the Fedlet as a web application.
The configuration for a single Java Fedlet includes only one FederationConfig.properties
file,
regardless of how many IDP and SP configurations are involved.
This file does not address the SAML v2.0 configuration.
When configured this file contains sensitive properties such as the value of am.encryption.pwd
.
Make sure it is readable only by the user running the Fedlet application.
Deployment URL settings
The following settings define the Fedlet deployment URL.
com.iplanet.am.server.protocol
-
Set this to the protocol portion of the URL, such as HTTP or HTTPS.
com.iplanet.am.server.host
-
Set this to the host portion of the URL, such as
www.sp.com
. com.iplanet.am.server.port
-
Set this to the port portion of the URL, such as 80, 443, 8080, or 8443.
com.iplanet.am.services.deploymentDescriptor
-
Set this to path portion of the URL, starting with a
/
, such as/fedlet
.
Log and Statistics Settings
The following settings define the Fedlet configuration for logging and monitoring statistics.
com.iplanet.am.logstatus
-
This sets whether the Fedlet actively writes debug log files.
Default:
ACTIVE
com.iplanet.services.debug.level
-
This sets the debug log level.
The following settings are available, in order of increasing verbosity:
-
off
-
error
-
warning
-
message
Default:
message
-
com.iplanet.services.debug.directory
-
This sets the location of the debug log folder.
Trailing spaces in the file names are significant. Even on Windows systems, use slashes to separate directories.
Examples:
/home/user/fedlet/debug
,C:/fedlet/debug
com.iplanet.am.stats.interval
-
This sets the interval at which statistics are written, in seconds.
The shortest interval supported is 5 seconds. Settings less than 5 (seconds) are taken as 5 seconds.
Default:
60
com.iplanet.services.stats.state
-
This sets how the Fedlet writes monitoring statistics.
The following settings are available:
off
console
(write to the container logs)
file
(write to Fedlet stats logs)Default:
file
com.iplanet.services.stats.directory
-
This sets the location of the stats file folder.
Trailing spaces in the file names are significant. Even on Windows systems, use slashes to separate directories.
Examples:
/home/user/fedlet/stats
,C:/fedlet/stats
Public and private key settings
The following settings define settings for access to certificates and private keys used in signing and encryption.
Other sections in this guide explain how to configure a Fedlet for signing and encryption including how to work with the keystores that these settings reference, and how to specify public key certificates in standard SAML v2.0 metadata. When working with a Java Fedlet, see Enable signing and encryption in a Fedlet.
com.sun.identity.saml.xmlsig.keystore
-
This sets the path to the keystore file that holds public key certificates of IDPs and key pairs for the Fedlet.
For hints on generating a keystore file with a key pair, see Change default key aliases.
Example:
@FEDLET_HOME@/keystore.jceks
com.sun.identity.saml.xmlsig.storepass
-
This sets the path to the file that contains the keystore password encoded by using the symmetric key set as the value of
am.encryption.pwd
.When creating the file, encode the cleartext password by using your own test copy (not a production version) of AM.
-
In the AM admin UI, go to Deployment > Servers > Server Name > Security > Encryption, and set the Password Encryption Key to your symmetric key.
Do not do this in a production system where the existing symmetric key is already in use!
-
Switch to the
encode.jsp
page, such ashttps://openam.example.com:8443/openam/encode.jsp
, enter the cleartext password to encode with your symmetric key, and select Encode. -
Copy the encoded password to your file.
Example:
@FEDLET_HOME@/.storepass
-
com.sun.identity.saml.xmlsig.keypass
-
This sets the path to the file that contains the private key password encoded by using the symmetric key set as the value of
am.encryption.pwd
.To encode the cleartext password, follow the same steps for the password used when setting
com.sun.identity.saml.xmlsig.storepass
.Example:
@FEDLET_HOME@/.keypass
com.sun.identity.saml.xmlsig.certalias
-
This sets the alias of the Fedlet’s public key certificate.
Example:
fedlet-cert
com.sun.identity.saml.xmlsig.storetype
-
The sets the type of keystore.
Default:
JKS
(JCEKS
is recommended.) am.encryption.pwd
-
This sets the symmetric key that used to encrypt and decrypt passwords.
Example:
uu4dHvBkJJpIjPQWM74pxH3brZJ5gJje
Alternative implementation settings
The Java Fedlet properties file includes settings that let you plug in alternative implementations of Fedlet capabilities. You can safely use the default settings, as specified in the following list. The list uses the same order for the keys you find in the file.
com.sun.identity.plugin.configuration.class
-
Default:
com.sun.identity.plugin.configuration.impl.FedletConfigurationImpl
com.sun.identity.plugin.datastore.class.default
-
Default:
com.sun.identity.plugin.datastore.impl.FedletDataStoreProvider
com.sun.identity.plugin.log.class
-
Default:
com.sun.identity.plugin.log.impl.FedletLogger
com.sun.identity.plugin.session.class
-
Default:
com.sun.identity.plugin.session.impl.FedletSessionProvider
com.sun.identity.plugin.monitoring.agent.class
-
Default:
com.sun.identity.plugin.monitoring.impl.FedletAgentProvider
com.sun.identity.plugin.monitoring.saml2.class
-
Default:
com.sun.identity.plugin.monitoring.impl.FedletMonSAML2SvcProvider
com.sun.identity.plugin.monitoring.idff.class
-
Default:
com.sun.identity.plugin.monitoring.impl.FedletMonIDFFSvcProvider
com.sun.identity.saml.xmlsig.keyprovider.class
-
Default:
com.sun.identity.saml.xmlsig.JKSKeyProvider
Despite the name, this provider supports JCEKS keystores.
com.sun.identity.saml.xmlsig.signatureprovider.class
-
Default:
com.sun.identity.saml.xmlsig.AMSignatureProvider
com.sun.identity.common.serverMode
-
Default:
false
com.sun.identity.webcontainer
-
Default:
WEB_CONTAINER
com.sun.identity.saml.xmlsig.passwordDecoder
-
Default:
com.sun.identity.fedlet.FedletEncodeDecode
com.iplanet.services.comm.server.pllrequest.maxContentLength
-
Default:
16384
com.iplanet.security.SecureRandomFactoryImpl
-
Default:
com.iplanet.am.util.SecureRandomFactoryImpl
com.iplanet.security.SSLSocketFactoryImpl
-
Default:
com.sun.identity.shared.ldap.factory.JSSESocketFactory
com.iplanet.security.encryptor
-
Default:
com.iplanet.services.util.JCEEncryption
com.sun.identity.jss.donotInstallAtHighestPriority
-
Default:
true
com.iplanet.services.configpath
-
Default:
@BASE_DIR@
Configure circles of trust
File: fedlet.cot
This file defines settings for a SAML v2.0 circle of trust. The Fedlet belongs to at least one circle of trust.
Configure a circle of trust with a single IDP
When the Fedlet is involved in only a single circle of trust with one IDP and the Fedlet as an SP,
the only settings to change are cot-name
and sun-fm-trusted-providers
.
-
Save a copy of the template as a
fedlet.cot
file in the configuration folder, as in the following example:$ cp ~/Downloads/fedlet/conf/fedlet.cot-template ~/fedlet/fedlet.cot
-
Set
cot-name
to the name of the circle of trust. -
Set
sun-fm-trusted-providers
to a comma-separated list of the entity names for the IDP and SP.For example, if the IDP is AM with entity ID
https://openam.example.com:8443/openam
and the SP is the Fedlet with entity IDhttps://sp.example.net:8443/fedlet
, then set the property as follows:sun-fm-trusted-providers=https://openam.example.com:8443/openam,https://sp.example.net:8443/fedlet
Configure a circle of trust with multiple IDPs
When the circle of trust involves multiple IDPs, use the Fedlet in combination with the AM IDP Discovery service.
For this to work, the IDPs must be configured to use IDP discovery, and users must have preferred IDPs. |
-
Set up the AM IDP Discovery service.
For details see Deploy the IDP Discovery service.
-
Configure the circle of trust as described in Configure a circle of trust with a single IDP, but specifying multiple IDPs, including the IDP that provides the IDP Discovery service.
-
Set the
sun-fm-saml2-readerservice-url
and thesun-fm-saml2-writerservice-url
properties as defined for the IDP Discovery service.
Configure multiple circles of trust
This procedure concerns deployments where the Fedlet participates as SP in multiple Circles of Trust, each involving their own IDP.
-
For each circle of trust, save a copy of the template in the configuration folder.
The following example involves two circles of trust:
$ cp ~/Downloads/fedlet/conf/fedlet.cot-template ~/fedlet/fedlet.cot $ cp ~/Downloads/fedlet/conf/fedlet.cot-template ~/fedlet/fedlet2.cot
-
Set up IDP XML files for each IDP as described in Configure the identity providers.
-
For each circle of trust, set up the cot file as described in Configure a circle of trust with a single IDP.
-
In the extended SP XML file described in Configure the identity providers, set the Attribute element with name
cotlist
to include values for all circles of trust. The values are taken from thecot-name
settings in the cot files.The following example works with two circles of trust,
cot
andcot2
.<Attribute name="cotlist"> <Value>cot</Value> <Value>cot2</Value> </Attribute>
The same Attribute element is also available in extended IDP XML files for cases where an IDP belongs to multiple circles of trust.
Configure the identity providers
Files: idp.xml
, idp-extended.xml
As described in Contents of the Java Fedlet distribution ZIP file, the IDP provides its standard SAML v2.0 metadata as XML,
which you save in the configuration folder as a idp.xml
file.
If the IDP uses AM, the IDP can also provide extended SAML v2.0 metadata as XML,
which you save in the configuration folder as a idp-extended.xml
file,
rather than using the template for extended information.
If you have multiple identity providers,
then number the configuration files, as in idp.xml
, idp2.xml
, idp3.xml
,
and also idp-extended.xml
, idp2-extended.xml
, idp3-extended.xml
, and so on.
Identity Provider Standard XML
This section covers the configuration in the idp.xml
file.
The idp.xml
file contains standard SAML v2.0 metadata for an IDP in a circle of trust
that includes the Fedlet as SP.
The IDP provides you the content of this file.
If the IDP uses AM then the administrator can export the metadata
by using either the ssoadm create-metadata-templ
command
or the /saml2/jsp/exportmetadata.jsp
endpoint under the AM deployment URL.
If the IDP uses an implementation different from AM,
see the documentation for details on obtaining the standard metadata.
The standard, product-independent metadata are covered in
Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0.
The standard XML namespace describing the XML document has identifier urn:oasis:names:tc:SAML:2.0:metadata
.
An XML schema description for this namespace is found online at
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.
Identity Provider Extended XML
This section covers the configuration in the idp-extended.xml
file.
Most extended metadata are specific to the AM implementation of SAML v2.0.
If the IDP runs AM, have the IDP provide the extended metadata exported
by using the ssoadm create-metadata-templ
command.
This section covers only the basic settings relative to all IDPs.
The extended metadata file describes an EntityConfig
element,
defined by the namespace with the identifier urn:sun:fm:SAML:2.0:entityconfig
.
The XML schema definition is described in the entity-config-schema.xsd
file,
available as part of the AM source code, though not included in the AM WAR file.
The unconfigured Fedlet includes a template file, conf/idp-extended.xml-template
.
This extended metadata template for the IDP requires
that you edit at least the IDP_ENTITY_ID
and fedletcot
values
to reflect the IDP entity ID used in the standard metadata
and the circle of trust name defined in the fedlet.cot
file, respectively.
The hosted
attribute on the EntityConfig
element must remain set to hosted="0"
, meaning that the IDP is remote.
The IDP is likely to play at least the role of single sign-on identity provider,
though the namespace defines elements for the attribute authority and policy decision point roles shown in the template,
as well as the others defined in the standard governing SAML v2.0 metadata.
The extended metadata file is essentially a series of XML maps of key-value pairs
specifying IDP configuration for each role.
All role-level elements can take a metaAlias
attribute that the Fedlet uses when communicating with the IDP.
Each child element of a role element defines an Attribute
whose name
is the key.
Each Attribute
element can contain multiple Value
elements.
The Value
elements' contents comprise the values for the key.
All values are strings, sometimes with a format that is meaningful to AM.
The basic example in the IDP template shows the minimal configuration for the single sign-on IDP role.
In the following example, the description
is empty and the name of the circle of trust is fedletcot
.
<IDPSSOConfig>
<Attribute name="description">
<Value/>
</Attribute>
<Attribute name="cotlist">
<Value>fedletcot</Value>
</Attribute>
</IDPSSOConfig>
<AttributeAuthorityConfig>
<Attribute name="cotlist">
<Value>fedletcot</Value>
</Attribute>
</AttributeAuthorityConfig>
<XACMLPDPConfig>
<Attribute name="wantXACMLAuthzDecisionQuerySigned">
<Value></Value>
</Attribute>
<Attribute name="cotlist">
<Value>fedletcot</Value>
</Attribute>
</XACMLPDPConfig>
When functioning as IDP, AM can take many other Attribute
values.
These are implementation dependent.
You can obtain the extended metadata from AM by using the ssoadm create-metadata-templ
subcommand.
Custom authentication contexts can be loaded and saved when they are loaded via ssoadm as part of the hosted IDP/SP extended metadata and the saves are made in the AM admin UI. Any custom contexts loaded via ssoadm are also visible in the AM admin UI. For example, you can specify custom entries
in the
|
Configure the service providers
Files: sp.xml
, sp-extended.xml
As mentioned in Contents of the Java Fedlet distribution ZIP file, the Fedlet SAML v2.0 configuration is defined in two XML files,
the standard metadata in a sp.xml
file and the extended metadata in a sp-extended.xml
file.
If the Fedlet has multiple service provider personalities, then number the configuration files,
as in sp.xml
, sp2.xml
, sp3.xml
,
and also sp-extended.xml
, sp2-extended.xml
, sp3-extended.xml
, and so on.
Service provider standard XML
This section covers the configuration in the sp.xml
file.
The sp.xml
file contains standard SAML v2.0 metadata for the Fedlet as SP.
If you edit the standard metadata, make sure that you provide the new version to your IDP,
as the IDP software relies on the metadata to get the Fedlet’s configuration.
The standard metadata are covered in
Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0.
The standard XML namespace describing the XML document has identifier urn:oasis:names:tc:SAML:2.0:metadata
.
An XML schema description for this namespace is found online at
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.
A standard metadata file describes the SAML v2.0 roles that the Fedlet plays.
The default base element of the file is an EntityDescriptor
, which is a container for role descriptor elements.
The EntityDescriptor
element can therefore contain multiple role descriptor elements.
The namespace for the standard metadata document is urn:oasis:names:tc:SAML:2.0:metadata
.
You can get the corresponding XML schema description online at
http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.
In general, you can find standard SAML v2.0-related XML schema definitions at
http://docs.oasis-open.org/security/saml/v2.0/.
Fedlets do not support all arbitrary SP configurations. As lightweight service provider components, Fedlets are built to play the SP role in web single sign-on and single logout, to perform attribute queries and XACML policy decision requests, and to work with multiple IDPs including circles of trust with an IDP discovery service. For a list of what Fedlets support, see the table Fedlet Support for SAML v2.0 Features.
When preparing a standard SP metadata file, follow these suggestions.
-
Start either with an existing example or with the template file,
conf/sp.xml-template
. -
When using the template, replace the following placeholders.
FEDLET_ENTITY_ID
-
The Fedlet entity ID used when communicating with the IDP.
AM often uses the deployment URL as the entity ID, though that is a convention rather than a requirement.
FEDLET_PROTOCOL
-
The Fedlet deployment protocol (
http
,https
) FEDLET_HOST
-
The Fedlet deployment host name
FEDLET_PORT
-
The Fedlet deployment port number
FEDLET_DEPLOY_URI
-
The Fedlet application deployment path
-
Add and edit role elements as children depending on the roles the Fedlet plays as described in the following sections.
Single Sign-On and Logout: SPSSODescriptor Element
Add an SPSSODescriptor
element to play the SP role in web single sign-on and logout.
An SPSSODescriptor
element has attributes specifying
whether requests and assertion responses should be digitally signed.
-
The
AuthnRequestsSigned
attribute indicates whether the Fedlet signs authentication requests.If you set the
AuthnRequestsSigned
attribute to true, then you must also configure theSPSSODescriptor
element to allow the Fedlet to sign requests. For details see the section on Enable signing and encryption in a Fedlet. -
The
WantAssertionsSigned
attribute indicates whether the Fedlet requests signed assertion responses from the IDP.
An SPSSODescriptor
element’s children indicate what name ID formats the Fedlet supports,
and where the IDP can call the following services on the Fedlet.
-
The
AssertionConsumerService
elements specify endpoints that support the SAML Authentication Request protocols.You must specify at least one of these. The template specifies two, with the endpoint supporting the HTTP POST binding as the default.
-
The optional
SingleLogoutService
elements specify endpoints that support the SAML Single Logout protocols.
Service Provider Extended XML
This section covers the configuration in the sp-extended.xml
file.
The extended metadata are specific to the AM implementation of SAML v2.0.
The extended metadata file describes an EntityConfig
element,
defined by the namespace with the identifier urn:sun:fm:SAML:2.0:entityconfig
.
The XML schema definition is described in the entity-config-schema.xsd
file,
available as part of the AM source code, though not included with the unconfigured Fedlet.
The unconfigured Fedlet does include a template file, conf/sp-extended.xml-template
.
This extended metadata template for the IDP requires that you edit at least the FEDLET_ENTITY_ID
placeholder value,
the appLogoutUrl
attribute value in the SPSSOConfig
element, and the fedletcot
values.
The FEDLET_ENTITY_ID
value must reflect the SP entity ID used in the standard metadata.
For the single logout profile, the appLogoutUrl
attribute value must match the Fedlet URL based on the values
used in the FederationConfig.properties
file.
The fedletcot
values must correspond to the circle of trust name defined in the fedlet.cot
file.
The hosted
attribute on the EntityConfig
element must remain set to hosted="1"
,
meaning that the SP is hosted (local to the Fedlet).
If you provide a copy of the file to your IDP running AM, however,
then set hosted="0"
for the IDP, as the Fedlet is remote to the IDP.
The extended metadata file is essentially a series of XML maps of key-value pairs
specifying IDP configuration for each role.
All role-level elements can take a metaAlias
attribute that the Fedlet uses when communicating with the IDP.
Each child element of a role element defines an Attribute
whose name
is the key.
Each Attribute
element can contain multiple Value
elements.
The Value
elements' contents comprise the values for the key.
All values are strings, sometimes with a format that is meaningful to the Fedlet.
The basic example in the SP template shows the configuration options, documented in the following lists.
Service Provider Extended XML: SPSSOConfig Settings
This section covers elements for the SP single sign-on role, arranged in the order they appear in the template.
description
-
Human-readable description of the Fedlet in the SP single sign-on role
signingCertAlias
-
Alias of the public key certificate for the key pair used when signing messages to the IDP
The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.
encryptionCertAlias
-
Alias of the public key certificate for the key pair used when encrypting messages to the IDP
The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.
basicAuthOn
-
Set this to true to use HTTP Basic authorization with the IDP.
Default: false
basicAuthUser
-
When using HTTP Basic authorization with the IDP, this value is the username.
basicAuthPassword
-
When using HTTP Basic authorization with the IDP, this value is the password.
Encrypt the password using the
encode.jsp
page of your test copy of AM that you might also have used to encode keystore passwords as described in Public and private key settings. autofedEnabled
-
Set to
true
to enable automatic federation with AM, based on the value of a profile attribute common to user profiles in AM and in the Fedlet’s context.Default: false
autofedAttribute
-
If you enable automatic federation, set this property to the name of the user profile attribute used for automatic federation.
transientUser
-
Use this effective identity for users with transient identifiers.
Default: anonymous
spAdapter
-
Class name for a plugin service provider adapter
This class must extend
com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter
. spAdapterEnv
-
When using a plugin service provider adapter, this attribute’s values optionally take a map of settings
key=value
used to initialize the plugin. fedletAdapter
-
Class name for an alternate fedlet adapter. Default is an empty value.
fedletAdapterEnv
-
When using an alternate fedlet adapter, this attribute’s values optionally take a map of settings
key=value
used to initialize the plugin. spAccountMapper
-
Class name for an implementation mapping SAML protocol objects to local user profiles
Default:
com.sun.identity.saml2.plugins.DefaultLibrarySPAccountMapper
spAttributeMapper
-
Class name for an implementation mapping SAML assertion attributes to local user profile attributes
Default:
com.sun.identity.saml2.plugins.DefaultSPAttributeMapper
spAuthncontextMapper
-
Class name for an implementation determining the authentication context to set in an authentication request, and mapping the authentication context to an authentication level
Default:
com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper
spAuthncontextClassrefMapping
-
String defining how the SAML authentication context classes map to authentication levels and indicate the default context class
Format:
authnContextClass|authLevel[|default]
Default:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0|default
spAuthncontextComparisonType
-
How to evaluate authentication context class identifiers.
exact
-
Assertion context must exactly match a context in the list
minimum
-
Assertion context must be at least as strong as a context in the list
maximum
-
Assertion context must be no stronger than a context in the list
better
-
Assertion context must be stronger than all contexts in the list
Default:
exact
attributeMap
-
Map of SAML assertion attributes to local user profile attributes
Default:
*=*
saml2AuthModuleName
-
Name of an alternative SAML v2.0 authentication module
localAuthURL
-
URL to a login page on the Fedlet side
Use this to override the Assertion Consumer Service URL from the standard metadata when consuming assertions.
intermediateUrl
-
URL to an intermediate page returned before the user accesses the final protected resource
defaultRelayState
-
If no RelayState is specified in a SAML request, redirect to this URL after successful single sign-on.
URL-encode the
defaultRelayState
value. appLogoutUrl
-
One or more Fedlet URLs that initiate single logout
Replace the placeholders in the default with the values for your Fedlet.
Default:
FEDLET_PROTOCOL://FEDLET_HOST:FEDLET_PORT/FEDLET_DEPLOY_URI/logout
assertionTimeSkew
-
Tolerate clock skew between the Fedlet and the IDP of at most this number of seconds
Default: 300
wantAttributeEncrypted
-
Set to true to request that the IDP encrypt attributes in the response
wantAssertionEncrypted
-
Set to true to request that the IDP encrypt the SAML assertion in the response
wantNameIDEncrypted
-
Set to true to request that the IDP encrypt the name ID in the response
wantPOSTResponseSigned
-
Set to true to request that the IDP sign the response when using HTTP POST
wantArtifactResponseSigned
-
Set to true to request that the IDP sign the response when using HTTP Artifact
wantLogoutRequestSigned
-
Set to true to request that the IDP sign single logout requests
wantLogoutResponseSigned
-
Set to true to request that the IDP sign single logout responses
wantMNIRequestSigned
-
Set to true to request that the IDP manage name ID requests
wantMNIResponseSigned
-
Set to true to request that the IDP manage name ID responses
cotlist
-
Set this to the circle of trust name used in Configure circles of trust.
Default:
fedletcot
saeAppSecretList
-
When using Secure Attribute Exchange with AM this represents the Application Security Configuration settings.
Values take the format
url=FedletURL|type=symmetric|secret=EncodedSharedSecret[|encryptionalgorithm=EncAlg|encryptionkeystrength=EncStrength]
orurl=FedletURL|type=asymmetric|privatekeyalias=FedletSigningCertAlias[|encryptionalgorithm=EncAlg|encryptionkeystrength=EncStrength|pubkeyalias=FedletPublicKeyAlias]
You can omit the
privatekeyalias
setting if the signing certifcate is specified in the standard metadata. saeSPUrl
-
When using Secure Attribute Exchange (SAE) with AM this is the Fedlet URL that handles SAE requests. If this is omitted, then SAE is not enabled.
saeSPLogoutUrl
-
When using Secure Attribute Exchange with AM this is the Fedlet URL that handles SAE global logout requests.
ECPRequestIDPListFinderImpl
-
When using the Enhanced Client and Proxy profile this is the class name for the implementation that returns a list of preferred IDPs trusted by the ECP.
Default:
com.sun.identity.saml2.plugins.ECPIDPFinder
ECPRequestIDPList
-
When using the Enhanced Client and Proxy profile this is the list of IDPs for the ECP to contact.
When not specified the list finder implementation is used.
enableIDPProxy
-
Set this to true to enable IDP proxy functionality.
Default: false
idpProxyList
-
A list of preferred IDPs that the Fedlet can proxy to
idpProxyCount
-
Number of IDP proxies that the Fedlet can have
Default: 0
useIntroductionForIDPProxy
-
Set this to true to pick a preferred IDP based on a SAML v2.0 introduction cookie.
Default: false
Service Provider Extended XML: AttributeQueryConfig Settings
This section covers elements for the Attribute Requester role, arranged in the order they appear in the template.
signingCertAlias
-
Alias of the public key certificate for the key pair used when signing messages to the IDP
The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.
encryptionCertAlias
-
Alias of the public key certificate for the key pair used when encrypting messages to the IDP
The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.
wantNameIDEncrypted
-
Set to true to request that the IDP encrypt the name ID
cotlist
-
Set this to the circle of trust name used in Configure circles of trust.
Default:
fedletcot
Service Provider Extended XML: XACMLAuthzDecisionQueryConfig Settings
This section covers elements for the XACML decision requester role, enabling the Fedlet to act as a Policy Enforcement Point, arranged in the order they appear in the template.
signingCertAlias
-
Alias of the public key certificate for the key pair used when signing messages to the IDP
The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.
encryptionCertAlias
-
Alias of the public key certificate for the key pair used when encrypting messages to the IDP
The key pair is found in the Fedlet’s keystore, and the certificate is included in the standard metadata. See Public and private key settings for details on how to specify access to the keystore, and Service provider standard XML for details on how to set up standard metadata.
basicAuthOn
-
Set to true to use HTTP Basic authorization when contacting the Policy Decision Provider
Default: false
basicAuthUser
-
When using Basic authorization to contact the Policy Decision Provider, use this value as the username
basicAuthPassword
-
When using Basic authorization to contact the Policy Decision Provider, use this value as the password
Encrypt the password using the
encode.jsp
page of your test copy of AM that you might also have used to encode keystore passwords as described in Public and private key settings. wantXACMLAuthzDecisionResponseSigned
-
Set this to true to request that the Policy Decision Provider sign the XACML response
wantAssertionEncrypted
-
Set this to true to request that the Policy Decision Provider encrypt the SAML assertion response
cotlist
-
Set this to the circle of trust name used in Configure circles of trust.
Default:
fedletcot