Date: Thu, 28 Mar 2024 15:14:53 +0000 (UTC)
Message-ID: <1991029104.15.1711638893913@55aee8ac7040>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_14_1058936896.1711638893913"
------=_Part_14_1058936896.1711638893913
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
NativeSPRelyingPartySettings
NativeSPRelyingPartySettings
authType
(string) (defaults to "TLS"
)
- Specifies the transport-layer authentication mechanism that is used for=
back-channel SOAP messages to an IdP. The values permitted are implementat=
ion dependent, but may include:
TLS
- client certificate TLS/SSL authentication
basic
- HTTP Basic-Auth (cleartext name/password)
digest
ntlm
- Microsoft's NTLM authentication
gss
authUsername
(string)
- Required for non-TLS and GSS
authType
values, this is the =
username to use.
authPassword
(string)
- Required for non-TLS and GSS
authType
values, this is the =
password to use.
signingAlg
(URI) (defaults to the specifier for RSA-SHA1)
- An XML Signature signature algorithm specifier for signatures produced =
by the SP.
digestAlg
(URI) (defaults to the specifier for SHA1)
- An XML Signature digest algorithm specifier for signatures produced by =
the SP.
encryptionAlg
(URI) (defaults to the specifier for RSA-OAE=
P-SHA1)
- An XML Encryption key wrap/transport algorithm specifier for encryption=
performed by the SP. The actual symmetric encryption algorithm will be der=
ived from it.
keyName
(string)
- Specifies a particular credential to use for signing or TLS authenticat=
ion by attaching a name to the lookup criteria passed to the credential resolver in use. Typically the credenti=
al resolver will be able to attach names or aliases to credentials in some =
fashion. For more on using this feature, see the NativeSPMultipleCredentials topic.
artifactEndpointIndex
(string)
- Identifies which
<ArtifactResolutionService>
handler=
at the SP is used when sending artifact-bound messages to the relying part=
y. Endpoints typically include an index
attribute to copy here=
.
chunkedEncoding
(boolean) (defaults to false)
- Controls the use of chunked encoding during back-channel SOAP communica=
tion. HTTP clients sending data must either compute and send a Content-Leng=
th header to the server (requiring that all data be buffered ahead of time)=
, or use chunked encoding. A lot of servers mis-handle this option, so it i=
s disabled by default.
connectTimeout
(time in seconds) (defaults to 10)
- Specifies the timeout for connecting to remote servers during back-chan=
nel SOAP communication.
timeout
(time in seconds) (defaults to 20)
- Specifies the total time to allow for completing back-channel SOAP comm=
unication.
requireConfidentiality
(boolean) (defaults to true)
- When true, the SP will require the use of TLS/SSL for all back-channel =
SOAP communication. This prevents an unsafe exchange of data before=
an unencrypted channel might be used, since XML encryption depend=
s on the peer's willingness to use it.
requireSignedAssertions
(boolean) (defaults to false)
- When true, assertions MUST be digitally signed, regard=
less of any other signatures used to authenticate them. Typically needed on=
ly for advanced auditing or assertion forwarding use cases.
requireTransportAuth
(boolean) (defaults to true, but see =
NativeSPSigningEncryption)
- When true, the SP will require back-channel SOAP communication to be au=
thenticated at the transport layer (TLS/SSL server authentication). Prior t=
o V2.6, must be set to false to permit the relying party to authenticate us=
ing only message signatures. See the Nativ=
eSPSigningEncryption topic for some additional semantics added in V2.6.=
Version 2.5 and Above=
sessionHook
(absolute or relative URL)
- Specifies a location to send the client after a session has been create=
d (i.e., after login), but before transferring the client to the eventual f=
inal resource. This is normally a relative path to ensure that the session =
will be visible to the hook script, but doesn't have to be. A hook can be u=
sed to validate something about the session to check its "fitness for purpo=
se" before delivering the client to an application that may not offer suffi=
cient error handling capability to do the job itself. A common example is c=
hecking for required attributes. The hook redirect will include two paramet=
ers,
target
and return
. The target
p=
arameter contains the resource URL that will eventually be the client's des=
tination, in case the hook cares. The return
parameter is the =
location to redirect the client back to upon completion of the hook. The ho=
ok MUST either redirect back or take complete ownership of=
the client with no further processing by the SP.
artifactByFilesystem
(boolean) (defaults to false)
- Enables the artifact-based "back-door" external authentication mechanis=
m described in NativeSPBackDoor.
Version 2.6 and Above
cipherSuites
(OpenSSL cipher=
expression) (defaults to "ALL:!aNULL:!LOW:!EXPORT:!RC4:!SSLv2")
- Directly configures the TLS ciphers to support when making SOAP connect=
ions. The default value is historical and has been in place for a few relea=
ses, and has been left alone to prevent upgrades from affecting interoperab=
ility. A stronger value is now used in the default files distributed with t=
he software, which was derived from Mozilla's tool.
authnContextClassRef
(space-delimited list of URIs)
- Supplies values for the SAML 2.0
<AuthnContextClassRef>=
;
element in requests to applicable IdPs, or for the waut=
h
parameter in WS-Federation requests. Ignored for other protocols.<=
/li>
authnContextComparison
("exact", "minimum", "maximum", "be=
tter")
- Supplies values for the
<RequestedAuthenticationContext&g=
t;
comparison operator in SAML 2.0 requests to applicable IdPs. Igno=
red for other protocols.
NameIDFormat
(URI)
- Supplies a value for the
<NameIDPolicy>
element=
's Format
attribute in SAML 2.0 requests to applicable Id=
Ps. Ignored for other protocols.
SPNameQualifier
(URI)
- Supplies a value for the
<NameIDPolicy>
el=
ement's SPNameQualifier
attribute in SAML 2.0 requests to=
applicable IdPs. Ignored for other protocols.
------=_Part_14_1058936896.1711638893913--