Versions Compared

Old Version 13

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 14

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A protocol handler requires that the name of an IdP (that is, its entityID) be supplied to the handler so that its metadata can be obtained to determine whether and where it supports a particular protocol. The entityID can be supplied in a number of ways, including via query string, a hardcoded <SessionInitiator> attribute, or via a content setting applied to the resource.

...

Name

Type

Default

Description

type
stringrequired

Plugin type name.

Location relative path
The location of the SessionInitiator (when combined with the base handlerURL). This is the location to redirect to when manually initiating a session using the Initiator protocol (query string)
id stringoptional Identifies a SessionInitiator so that it can be referenced by the requireSessionWith content setting.
isDefault boolean

If true, establishes the default SessionInitiator used implicitly for content protected with the requireSession content setting. If none are labeled, the first is implicitly the default.

entityID URI

If set, establishes an assumed IdP to use for authentication, if none is passed explicitly with a query string parameter or overridden via content settings.

relayState string

Controls how information associated with the session request, primarily the original resource accessed, is preserved for the completion of the authentication process. Overrides the like-named attribute in the <Sessions> element.

acsIndex string

This matches the index of the <md:AssertionConsumerService> element to use for the return message from the IdP.
This setting is optional and best avoided, in favor of letting the software automatically select the first compatible endpoint.

entityIDParam string

Optional, advanced setting for overriding the name of the query string parameter used to override the IdP to use. Normally "entityID" and "providerId" are the parameter names supported. This is provided for supporting unusual application requirements.

target URL
Allows the resources to return to after SSO to be "locked" to a specific value, even when running as a result of active protection of other resources. In other words, this value overrides the actual resource location when SSO redirection is automatic, including initial access and after a timeout.
signing 

one of
conditional,
true, false, front, back


See Signing&Encryption. Controls outbound signing of XML messages and content subject to applicability to the protocol involved.
encryption See Signing&Encryption. Controls outbound encryption of XML messages and content subject to applicability to the protocol involved.
externalInput booleantrue

Allows handlers to disallow the use of externally supplied parameters / input to drive them. The specific settings this influences will vary by handler, and by default the full range of settings supported can be supplied from outside the SP, typically using query string parameters or form submission. For particularly sensitive or important options, this setting can be used to block that support. This primarily applies to the "SAML2" handler but may be honored by any handler as it deems appropriate.

...