...
XML element | Use | Description |
---|---|---|
audienceUris | Optional | The values of the list of audience URIs are verified against the element |
certificateStores | Required | The list of keystores (JKS, PEM) includes at least the certificate of the Certificate Authorities (CA) which signed the certificate which is used to sign the SAML token. |
tokenExpirationValidation | Optional | Decision whether the token validation (e.g. lifetime) shall be performed on every request (true) or only once at initial authentication (false). The default is "false". |
addAuthenticatedRole | Optional | Whether to add the "Authenticated" role to the list of roles associated with the "authenticated" user. This could be useful if you don't care about authorizing the user, only about authentication. A role is required to activate authentication, and it may be problematic to list all relevant roles in web.xml. Note that if the user has no roles, then the "Authenticated" role is added automatically. The default is "false". |
maximumClockSkew | Optional | Maximum allowable time difference between the system clocks of the IDP and RP. Default 5 seconds. |
tokenReplayCache | Optional | The ReplayCache implementation to use to cache tokens. The default is an implementation based on EHCache. |
signingKey | Optional | If configured, the published (WS-Federation or SAML SSO) Metadata document is signed by this key. Otherwise, not signed. |
tokenDecryptionKey | Optional | A Keystore used to decrypt an encrypted token. |
trustedIssuers | Required | There are two ways to configure a trusted issuer (IDP). Either you configure the subject name and the CA(s) who signed the certificate of the IDP ( |
protocol | Required | A protocolType instance that defines the SSO protocol that is supported. Currently supported protocols are "federationProtocolType" and "samlProtocolType". See below for protocol-specific configuration items. |
logoutURL | Optional | User defined logout URL to trigger federated logout process. |
logoutRedirectTo | Optional | URL to landing-page after successful logout. |
logoutRedirectToConstraint | Optional | A regular expression constraint on the 'wreply' parameter, which is used to obtain the URL to navigate to after successful logout. Only applies to WS-Federation protocol. |
requestStateValidation | Optional | Decision on whether the received state must match the state saved in the context. Set it to "false" to support IdP initiated SSO. Only supported for CXF + Spring plugins thus far. The default is "true". |
WS-Federation protocol configuration reference
...