Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

XML element

Use

Description

audienceUris

Optional

The values of the list of audience URIs are verified against the element AudienceRestriction in the SAML token. If a SAML token contains a audience restriction which is not listed within this collection, the token will be refused.

certificateStores

Required

The list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token.
If the file location is not fully qualified it needs to be relative to the Container home directory

tokenExpirationValidationOptional

Decision whether the token validation (e.g. lifetime) shall be performed on every request (true) or only once at initial authentication (false). The default is "false".

addAuthenticatedRoleOptional

Whether to add the "Authenticated" role to the list of roles associated with the "authenticated" user. This could be useful if you don't care about authorizing the user, only about authentication. A role is required to activate authentication, and it may be problematic to list all relevant roles in web.xml. Note that if the user has no roles, then the "Authenticated" role is added automatically. The default is "false".

maximumClockSkew

Optional

Maximum allowable time difference between the system clocks of the IDP and RP. Default 5 seconds.

tokenReplayCache

Optional

The ReplayCache implementation to use to cache tokens. The default is an implementation based on EHCache.

signingKey

Optional

If configured, the published (WS-Federation or SAML SSO) Metadata document is signed by this key. Otherwise, not signed.

tokenDecryptionKey

Optional

A Keystore used to decrypt an encrypted token.

trustedIssuers

Required

There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP (certificateValidation=ChainTrust) or you configure the certificate of the IDP and the CA(s) who signed it (certificateValidation=PeerTrust)

protocolRequiredA protocolType instance that defines the SSO protocol that is supported. Currently supported protocols are "federationProtocolType" and "samlProtocolType". See below for protocol-specific configuration items.
logoutURLOptionalUser defined logout URL to trigger federated logout process.
logoutRedirectToOptional

URL to landing-page after successful logout.

logoutRedirectToConstraintOptional

A regular expression constraint on the 'wreply' parameter, which is used to obtain the URL to navigate to after successful logout. Only applies to WS-Federation protocol.

requestStateValidationOptional

Decision on whether the received state must match the state saved in the context. Set it to "false" to support IdP initiated SSO. Only supported for CXF + Spring plugins thus far. The default is "true".

WS-Federation protocol configuration reference

...