Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Current »


Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the <SSO> shorthand element.

The ADFS handler is only available if the adsfs.so extension library is loaded by the SP.

Indicated by type="ADFS", this initiator supports Microsoft ADFS authentication requests, a subset of the WS-Federation passive requester profile. As a protocol handler, an entityID must be specified/known, which is then used to check for metadata with an <md:IDPSSODescriptor> role supporting ADFS. The absence of either causes a warning to be logged and the handler otherwise ignores the request.

A "supporting" IdP's role element has a protocolSupportEnumeration attribute containing the value "http://schemas.xmlsoap.org/ws/2003/07/secext", with an accompanying <md:SingleSignOnService>with a Binding of "http://schemas.xmlsoap.org/ws/2003/07/secext".

Attributes

The following may be specified for all types of Session Initiator

Name

Type

Default

Description

type

string

required

Plugin type name.

Location 

relative path


The location of the SessionInitiator (when combined with the base handlerURL). This is the location to redirect to when manually initiating a session using the Initiator protocol (query string)

id 

string

optional

 Identifies a SessionInitiator so that it can be referenced by the requireSessionWith content setting.

isDefault 

boolean


If true, establishes the default SessionInitiator used implicitly for content protected with the requireSession content setting. If none are labeled, the first is implicitly the default.

entityID 

URI


If set, establishes an assumed IdP to use for authentication, if none is passed explicitly with a query string parameter or overridden via content settings.

relayState 

string


Controls how information associated with the session request, primarily the original resource accessed, is preserved for the completion of the authentication process. Overrides the like-named attribute in the <Sessions> element.

acsIndex 

string


This matches the index of the <md:AssertionConsumerService> element to use for the return message from the IdP.
This setting is optional and best avoided, in favor of letting the software automatically select the first compatible endpoint.

entityIDParam 

string


Optional, advanced setting for overriding the name of the query string parameter used to override the IdP to use. Normally "entityID" and "providerId" are the parameter names supported. This is provided for supporting unusual application requirements.

target 

URL


Allows the resources to return to after SSO to be "locked" to a specific value, even when running as a result of active protection of other resources. In other words, this value overrides the actual resource location when SSO redirection is automatic, including initial access and after a timeout.

signing 

one of
conditional,
true, false, front, back


See Signing&Encryption. Controls outbound signing of XML messages and content subject to applicability to the protocol involved.

encryption 

See Signing&Encryption. Controls outbound encryption of XML messages and content subject to applicability to the protocol involved.

externalInput 

boolean

true

Allows handlers to disallow the use of externally supplied parameters / input to drive them. The specific settings this influences will vary by handler, and by default the full range of settings supported can be supplied from outside the SP, typically using query string parameters or form submission. For particularly sensitive or important options, this setting can be used to block that support. This primarily applies to the "SAML2" handler but may be honored by any handler as it deems appropriate.

Query String Parameters

The following can be provided via the Initiator Protocol

Common Parameters

The protocol independent parameters are

Parameter Name

Parameter Value Type

Description

entityID 

URI

The IdP to request authentication from.

target 

absolute URL

The URL to return the user to after authenticating. If unspecified, the homeURL attribute for the application is used.

acsIndex 

string

The index value of the <md:AssertionConsumerService> element to instruct the IdP to use in returning an assertion to the SP

authnContextClassRef 

whitespace-delimited URIs

Requests that particular authentication context classes be used by the IdP.


Specific Parameters

There are no protocol specific parameters


  • No labels