...
| Name | Type | Default | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| string | For name-based matching, this is the value used to match against the IdP's | |||||||||||
type type | string | For extensible matching, specifies the type of EntityMatcher to use. Refer to the associated documentation for additional required content. | |||||||||||
entityID entityID | URI | Overrides the unique identifier used by the SP to identify itself when communicating with matching relying parties. Normally an SP should be able to use a single name in all its dealings, but this can provide some help when dealing with externally imposed limitations. Again, this is not the IdP's name, but the SP's name. | |||||||||||
authType | See Description | TLS | Specifies the transport-layer authentication mechanism that is used for back-channel SOAP messages to an IdP. The values permitted are implementation dependent, but may include:
| ||||||||||
authUsername | string | Required for non-TLS and GSS | |||||||||||
authPassword authPassword | string | Required for non-TLS and GSS authType values, this is the password to use | |||||||||||
signing signing | Controls outbound signing of XML messages. . See Signing&Encryption | ||||||||||||
signingAlg | URI | specifier for RSA-SHA1 | An XML Signature signature algorithm specifier for signatures produced by the SP. | ||||||||||
digestAlg digestAlg | URI | specifier for SHA1 | An XML Signature digest algorithm specifier for signatures produced by the SP. | ||||||||||
encryption encryption | Controls outbound encryption of XML messages and content. See Signing&Encryption | ||||||||||||
encryptionAlg encryptionAlg | URI | specifier for RSA-OAEP-SHA1 | An XML Encryption key wrap/transport algorithm specifier for encryption performed by the SP. The actual symmetric encryption algorithm will be derived from it. | ||||||||||
keyName | string | Specifies a particular credential to use for signing or TLS authentication by attaching a name to the lookup criteria passed to the credential resolver in use. Typically the credential resolver will be able to attach names or aliases to credentials in some fashion. For more on using this feature, see the Multiple Credentials topic. | |||||||||||
artifactEndpointIndex | string | Identifies which | |||||||||||
chunkedEncoding | boolean | false | Controls the use of chunked encoding during back-channel SOAP communication. HTTP clients sending data must either compute and send a Content-Length header to the server (requiring that all data be buffered ahead of time), or use chunked encoding. A lot of servers mis-handle this option, so it is disabled by default. | ||||||||||
connectTimeout | time in seconds | 10 | Specifies the timeout for connecting to remote servers during back-channel SOAP communication. | ||||||||||
timeout | time in seconds | 20 | Specifies the total time to allow for completing back-channel SOAP communication. | ||||||||||
requireConfidentiality | boolean | true | When true, the SP will require the use of TLS/SSL for all back-channel SOAP communication. This prevents an unsafe exchange of data before an unencrypted channel might be used, since XML encryption depends on the peer's willingness to use it. | ||||||||||
requireSignedAssertions | boolean | false | When true, assertions MUST be digitally signed, regardless of any other signatures used to authenticate them. Typically needed only for advanced auditing or assertion forwarding use cases. | ||||||||||
requireTransportAuth | boolean | true but look here | When true, the SP will require back-channel SOAP communication to be authenticated at the transport layer (TLS/SSL server authentication). See the this topic for additional semantics | ||||||||||
sessionHook | URL | Specifies a location to send the client after a session has been created (i.e., after login), but before transferring the client to the eventual final resource. This is normally a relative path to ensure that the session will be visible to the hook script, but doesn't have to be. A hook can be used to validate something about the session to check its "fitness for purpose" before delivering the client to an application that may not offer sufficient error handling capability to do the job itself. A common example is checking for required attributes. The hook redirect will include two parameters, The hook MUST either redirect back or take complete ownership of the client with no further processing by the SP. | |||||||||||
artifactByFilesystem | boolean | false | Enables the artifact-based "back-door" external authentication mechanism described in the BackDoor topic. | ||||||||||
cipherSuites | OpenSSL cipher expression | see description | Directly configures the SSL/TLS ciphers to support when making SOAP connections. The default value ( | ||||||||||
authnContextClassRef | space delimited URIs | Supplies values for the SAML 2.0 | |||||||||||
authnContextComparison | "exact", "minimum", "maximum", "better" | Supplies values for the | |||||||||||
NameIDFormat | URI | Supplies a value for the | |||||||||||
SPNameQualifier | URI | Supplies a value for the | |||||||||||
attributeIndex 3.3 | string | Supplied a value for the AttributeConsumingServiceIndex attribute in SAML 2.0 requests to applicable IdPs. Ignored for other protocols. |
Example
The example demonstrates requesting a different format of <NameID> from a particular IdP.
...