The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPSAML2SSOProfileConfig

Owned by Former user (Deleted)
Last updated: Apr 05, 2013 by Scott CantorVersion comment

Relying Party SAML 2 SSO Profile Configuration

This profile configuration enables and configures the SAML 2 SSO profile.

Basic Configuration

This profile is configured by adding the <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" /> element to a RelyingParty definition. This element supports the following basic attributes:

  • includeAttributeStatement - (optional) a boolean flag indicating whether to include an attribute statement in addition to the authentication statement, defaults to true
Example SAML2 SSO Profile Configuration
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
Example SAML2 SSO Profile Configuration Overriding some Defaults
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
                      signAssertions="always"
                      includeAttributeStatement="true"/>

Advanced Configuration

The SAML2 SSO profile configuration supports the following advanced configuration attributes:

  • outboundArtifactType - Default artifact type used when sending responses via artifact, defaults to 4
  • maximumSPSessionLifetime - maximum amount of time, given as an XML duration, the service provider should maintain a session for the user
  • assertionLifetime - The lifetime, given as an XML duration, for issued assertions, defaults to PT5M (5 minutes)
  • assertionProxyCount - A non-negative integer used to populate the Count attribute in the assertion's ProxyRestriction element, defaults to 0
  • includeConditionsNotBefore - (V2.4.0+) Include a NotBefore timestamp in the assertions' validity conditions, defaults to true
  • skipEndpointValidationWhenSigned - (V2.4.0+) Allows the IdP to skip the requirement for response endpoints to be registered in SP metadata if the SAML request is signed by the SP, defaults to false
  • signResponses - see Configuring XML Signature and Encryption
  • signAssertions - see Configuring XML Signature and Encryption
  • signRequests - see Configuring XML Signature and Encryption
  • encryptAssertions - see Configuring XML Signature and Encryption
  • encryptNameIds - see Configuring XML Signature and Encryption

In addition, the SAML 2 SSO profile configuration element supports two child elements.

  • <Audience>, whose content is used to populate the <Audience> elements of <AudienceRestriction> element. This element may appear any number of times, one for each audience.
  • <ProxyAudience>, whose content is used to populate the Audience elements of the <ProxyRestriction> condition element. This element may appear any number of times, one for each audience.