The values of the list of audience URIs are verified against the element
Trusted certificate store
The list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token.
There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (
Maximum Clock Skew
Maximum allowable time difference between the system clocks of the IDP and RP.
Token Replay Cache
Key for Signature
If configured, the published (WS-Federation) Metadata document is signed by this key. Otherwise, not signed.
A Keystore used to decrypt an encrypted token.
|tokenExpirationValidation||Token Expiration Validation||Optional|
Decision whether the token validation (e.g. lifetime) shall be performed on every request (true) or only once at initial authentication (false). The default is "false".
This URL defines the location of the IDP to whom unauthenticated requests are redirected
Security realm of the Relying Party / Application. This value is part of the SignIn request as the
The authentication type defines what kind of authentication is required. This information is provided in the SignInRequest to the IDP (parameter
Role Claim URI
Defines the attribute name of the SAML token which contains the roles.
Role Value Delimiter
There are different ways to encode multi value attributes in SAML.
The claims required by the Relying Party are listed here. Claims can be optional. If a mandatory claim can't be provided by the IDP the issuance of the token should fail
Indicates the Resource IDP the home realm of the requestor. This may be an URL or an identifier like urn: or uuid: and depends on the Resource IDP implementation. This value is part of the SignIn request as the
The desired "freshness" of the token from the IdP. This information is provided in the SignInRequest to the IdP (parameter
|request||Request||Optional||NA||This value is part of the SignIn request as the wreq parameter. It can be used to specify a desired TokenType from the IdP.|
Custom Token validator classes can be configured here. The SAML Token validator is enabled by default.
Attributes resolved at runtime