Ceptor Docs

Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Code Block
<property name="server.authenticationplugins" value="...<existing providers>; dk.itp.portalprotect.saml.ADFSSamlSSOAuthPlugin" description="The list of authentication plugins (classes) to load"/>

ADFSSamlSSOAuthPlugin Configuration of Identity Providers

The authentication plugin supports a number of configuration entries for each identity provider;




Lists the identity providers available, separated by semicolon.

The following all start with websso.idp.<idp>.

<idp> is replaced with the name of the identity provider, as configured in websso.identityProviders


Lists one or more certificates that the SAML token issued by the identityprovider can be signed with. The entry most point to files containing certificates in either .cer og .p7b format.


If true, and if subject is sent by IDP, the subject will be used as user ID by Ceptor.


If configured, and a SAML attribute is sent with this name, then the value of the attribute will be used as userid.


If not empty, the value of the corresponding SAML attribute will be used as user name.


If specified, any values defined for this attribute name will be added as user groups / roles in the Ceptor session for the authenticated user.


Only roles matching this pattern will be added as user groups – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it.


Pattern matching the attributes from the SAML ticket that will be stored in the session as state variables. Attributes with multiple values will be concatenated and stored as a single value separated by semicolon


URL to ADFS, usually https://<hostname>/adfs/ls/ – allows the login application to redirect to ask for a SAML token wrapped in WS-Federation/WS-Trust.

audienceAudience to place in SAML response - if not specified, the url property will be used by defaultexpectedAudiencePatternWhen verifying a SAML response from an identity provider, this is the pattern that the audience must match - wildcards and | are supported to specify multiple valid entries.


Display name for this Identity Provider – can be used by login application to let user select which identity provider to use, if that is required.


Identifier to specify on the redirect URL to the IDP – identifies this particular application as the Relaying Party – must match the configuration in ADFS.


Can be used by the login application to automatically select an identity provider to use based on the source IP address of the client.


List of files containing valid CA/SSL server certificates, if the default trusted cacerts list in the JRE is not enough.


Set to false to disable verification of SSL server certificate


Set to false to disable hostname verification – if true, hostname must match the name in the certificate.

metadataurlThe URL to fetch federation metadata from - the list of accepted server certificates are then retrieved from this URL.
encryptioncertificateSpecify a certificate to be used for encryption - if metadata contains encryption certificate, it will used.


Name of keystore JCE provider, default is “BC”
keystore.typeKeystore type, default is “PKCS12”
keystore.fileKeystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token.
keystore.passwordKeystore password – can be optionally encrypted.
keystore.privkeyaliasAlias name of the private key, or blank to use the first private key found in the keystore.
keystore.certaliasAlias name of the certificate, or blank to use the first available certificate found in the keystore.
sp_metadata_XML_Template for serviceprovider metadata
samlrequest_XML_Template for SAML request