<property name="server.authenticationplugins" value="...<existing providers>; dk.itp.portalprotect.saml.ADFSSamlSSOAuthPlugin" description="The list of authentication plugins (classes) to load"/>
ADFSSamlSSOAuthPlugin Configuration of Identity Providers
The authentication plugin supports a number of configuration entries for each identity provider;
Lists the identity providers available, separated by semicolon.
Lists one or more certificates that the SAML token issued by the identityprovider can be signed with. The entry most point to files containing certificates in either .cer og .p7b format.
If true, and if subject is sent by IDP, the subject will be used as user ID by Ceptor.
If configured, and a SAML attribute is sent with this name, then the value of the attribute will be used as userid.
If not empty, the value of the corresponding SAML attribute will be used as user name.
If specified, any values defined for this attribute name will be added as user groups / roles in the Ceptor session for the authenticated user.
Only roles matching this pattern will be added as user groups – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it.
Pattern matching the attributes from the SAML ticket that will be stored in the session as state variables. Attributes with multiple values will be concatenated and stored as a single value separated by semicolon
URL to ADFS, usually https://<hostname>/adfs/ls/ – allows the login application to redirect to ask for a SAML token wrapped in WS-Federation/WS-Trust.
|audience||Audience to place in SAML response - if not specified, the url property will be used by defaultexpectedAudiencePattern||When verifying a SAML response from an identity provider, this is the pattern that the audience must match - wildcards and | are supported to specify multiple valid entries.|
Display name for this Identity Provider – can be used by login application to let user select which identity provider to use, if that is required.
Identifier to specify on the redirect URL to the IDP – identifies this particular application as the Relaying Party – must match the configuration in ADFS.
Can be used by the login application to automatically select an identity provider to use based on the source IP address of the client.
List of files containing valid CA/SSL server certificates, if the default trusted cacerts list in the JRE is not enough.
Set to false to disable verification of SSL server certificate
Set to false to disable hostname verification – if true, hostname must match the name in the certificate.
|metadataurl||The URL to fetch federation metadata from - the list of accepted server certificates are then retrieved from this URL.|
|encryptioncertificate||Specify a certificate to be used for encryption - if metadata contains encryption certificate, it will used.|
|Name of keystore JCE provider, default is “BC”|
|keystore.type||Keystore type, default is “PKCS12”|
|keystore.file||Keystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token.|
|keystore.password||Keystore password – can be optionally encrypted.|
|keystore.privkeyalias||Alias name of the private key, or blank to use the first private key found in the keystore.|
|keystore.certalias||Alias name of the certificate, or blank to use the first available certificate found in the keystore.|
|sp_metadata_XML_||Template for serviceprovider metadata|
|samlrequest_XML_||Template for SAML request|