| |
Server Template: Configuration: Federation Services: SAML 2.0 Service Provider
Use this page to configure the SAML 2.0 service provider properties for this server template.
Configuration Options
Name Description Enabled Specifies whether the local site is enabled for the Service Provider role.
This attribute must be enabled in order to publish the metadata file.
MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderEnabledAlways Sign Authentication Requests Specifies whether authentication requests must be signed. If set, all outgoing authentication requests are signed.
MBean Attribute:
SingleSignOnServicesMBean.SignAuthnRequestsForce Authentication Specifies whether the Identity Provider must authenticate users directly and not use a previous security context. The default is
false.Note the following:
If the user is already authenticated at the Identity Provider site and
ForceAuthnis set totrue, the user is forced to authenticate again at the Identity Provider site.Setting both
ForceAuthnandIsPassivetotrue-- that is, Force Authentication and Passive are enabled -- is an invalid configuration that causes WebLogic server to generate an exception and also causes the single sign-on session to fail.MBean Attribute:
SingleSignOnServicesMBean.ForceAuthnPassive Determines whether the Identity Provider and the user must not take control of the user interface from the requester and interact with the user in a noticeable fashion. The default setting is
false.The WebLogic Server SAML 2.0 services generate an exception if Passive (
IsPassive) is enabled and the end user is not already authenticated at the Identity Provider site. In this situation, web single sign-on fails.MBean Attribute:
SingleSignOnServicesMBean.PassiveOnly Accept Signed Assertions Specifies whether incoming SAML 2.0 assertions must be signed.
MBean Attribute:
SingleSignOnServicesMBean.WantAssertionsSignedAuthentication Request Cache Size The maximum size of the authentication request cache.
This cache stores documents issued by the local Service Provider that are awaiting response from a partner Identity Provider.
Specify '0' to indicate that the cache is unbounded.
MBean Attribute:
SingleSignOnServicesMBean.AuthnRequestMaxCacheSizeAuthentication Request Cache Timeout The maximum timeout (in seconds) of <AuthnRequest> documents stored in the local cache.
This cache stores documents issued by the local Service provider that are awaiting response from a partner Identity Provider. Documents that reach this maximum timeout duration are expired from the local cache even if no response is received from the Identity Provider. If a response is subsequently returned by the Identity Provider, the cache behaves as if the <AuthnRequest> had never been generated.
MBean Attribute:
SingleSignOnServicesMBean.AuthnRequestTimeoutPOST One Use Check Enabled Specifies whether the POST one-use check is enabled.
If set, the local site POST binding endpoints will store identifiers of all inbound documents to ensure that those documents are not presented more than once.
MBean Attribute:
SingleSignOnServicesMBean.POSTOneUseCheckEnabledPOST Binding Enabled Specifies whether the POST binding is enabled for the Service Provider.
MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderPOSTBindingEnabledArtifact Binding Enabled Specifies whether the Artifact binding is enabled for the Service Provider.
MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderArtifactBindingEnabledPreferred Binding Specifies the preferred binding type for endpoints of Service Provider services. Must be set to "None", "POST", or "Artifact".
MBean Attribute:
SingleSignOnServicesMBean.ServiceProviderPreferredBindingDefault URL The Service Provider's default URL.
When an unsolicited SSO response arrives at the Service Provider without an accompanying target URL, the user (if authenticated) is redirected to this default URL.
MBean Attribute:
SingleSignOnServicesMBean.DefaultURL
|