Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleProfile Defaults

Without stepping fully into the SecurityConfiguration topic, the following defaults are used when enabling individual profiles. In addition, an appropriate "security policy" flow is enabled during request processing to enforce appropriate security guarantees.

  • All SAML Profiles

    • includeConditionsNotBefore = true

    • assertionLifetime = PT5M

    • signedRequests = false

    • signAssertions = false

  • Shibboleth.SSO

    • includeAttributeStatement = false

    • signResponses = true

    • use of type 1 SAML artifacts where required

  • SAML1.AttributeQuery and SAML1.ArtifactResolution

    • signResponses = true if TLS isn't used or port 443 is used

  • SAML2.SSO and SAML2.ECP

    • includeAttributeStatement = true

    • skipEndpointValidationWhenSigned = false

    • maximumSPSessionLifetime = 0

    • signResponses = true

    • encryptAssertions = true

    • encryptNameIDs = false

    • encryptAttributes = false

    • use of type 4 SAML artifacts where required with an endpoint index of %{idp.artifact.endpointIndex:2}

  • SAML2.Logout

    • signRequests = true on front channel, if TLS isn't used or port 443 is used on back channel

    • signResponses = true on front channel, if TLS isn't used or port 443 is used on back channel

    • encryptNameIDs = true on front channel, if TLS isn't used or port 443 is used on back channel

    • use of type 4 SAML artifacts where required with an endpoint index of %{idp.artifact.endpointIndex:2}

  • SAML2.AttributeQuery and SAML2.ArtifactResolution

    • signResponses = true if TLS isn't used or port 443 is used

    • encryptAssertions = true if TLS isn't used or port 443 is used

...