Ceptor Docs

Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
<property name="server.authenticationplugins" value="...<existing providers>; dk.itp.portalprotect.saml.ADFSSamlSSOAuthPlugin" description="The list of authentication plugins (classes) to load"/>

ADFSSamlSSOAuthPlugin Configuration of Identity Providers

The authentication plugin supports a number of configuration entries for each identity provider;

Name

Value

websso.identityProviders

Lists the identity providers available, separated by semicolon.


The following all start with websso.idp.<idp>.


<idp> is replaced with the name of the identity provider, as configured in websso.identityProviders

signerCertificates

Lists one or more certificates that the SAML token issued by the identityprovider can be signed with. The entry most point to files containing certificates in either .cer og .p7b format.

useSubjectAsUserid

If true, and if subject is sent by IDP, the subject will be used as user ID by Ceptor.

useridAttributeName

If configured, and a SAML attribute is sent with this name, then the value of the attribute will be used as userid.

usernameAttributeName

If not empty, the value of the corresponding SAML attribute will be used as user name.

roleAttributeName

If specified, any values defined for this attribute name will be added as user groups / roles in the Ceptor session for the authenticated user.

rolePattern

Only roles matching this pattern will be added as user groups – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it.

attributesToStoreInSession

Pattern matching the attributes from the SAML ticket that will be stored in the session as state variables. Attributes with multiple values will be concatenated and stored as a single value separated by semicolon

url

URL to ADFS, usually https://<hostname>/adfs/ls/ – allows the login application to redirect to ask for a SAML token wrapped in WS-Federation/WS-Trust.

audienceAudience to place in SAML response - if not specified, the url property will be used by defaultexpectedAudiencePatternWhen verifying a SAML response from an identity provider, this is the pattern that the audience must match - wildcards and | are supported to specify multiple valid entries.

displayName

Display name for this Identity Provider – can be used by login application to let user select which identity provider to use, if that is required.

identifier

Identifier to specify on the redirect URL to the IDP – identifies this particular application as the Relaying Party – must match the configuration in ADFS.

knownIPs

Can be used by the login application to automatically select an identity provider to use based on the source IP address of the client.

acceptedServerCertificates

List of files containing valid CA/SSL server certificates, if the default trusted cacerts list in the JRE is not enough.

verifyServerCert

Set to false to disable verification of SSL server certificate

verifySSLHostname

Set to false to disable hostname verification – if true, hostname must match the name in the certificate.

metadataurlThe URL to fetch federation metadata from - the list of accepted server certificates are then retrieved from this URL.
encryptioncertificateSpecify a certificate to be used for encryption - if metadata contains encryption certificate, it will used.

keystore.provider

Name of keystore JCE provider, default is “BC”
keystore.typeKeystore type, default is “PKCS12”
keystore.fileKeystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token.
keystore.passwordKeystore password – can be optionally encrypted.
keystore.privkeyaliasAlias name of the private key, or blank to use the first private key found in the keystore.
keystore.certaliasAlias name of the certificate, or blank to use the first available certificate found in the keystore.
sp_metadata_XML_Template for serviceprovider metadata
samlrequest_XML_Template for SAML request

...