...
Name | Value |
websso.serviceProviders | Lists the service providers available, separated by semicolon. |
|
|
url | URL to ADFS, usually https://<hostname>/adfs/ls/ – this is the URL that the SAML token will be sent to. |
displayName | Display name for this Service Provider – can be used by login application to let user select which identity provider to use, if that is required. |
issuer | Name of SAML Ticket Issuer – visible to the receiving application, default is Ceptor |
rolePattern | Only groups/roles matching this pattern will be added into the SAML token – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it. |
attributes | List of SAML attributes to add to the SAML ticket. List of name=key pairs separated by semicolon. The key will be taken from the session state variables, so you can place anything in the session that can then be included in the SAML ticket. This configuration parameter follows the same syntax as the configuration entry “customHttpHeaders” for the dispatcher, and you can use Please see the entry in the reference about “customHttpHeaders” for details. Default is: |
keystore.provider | Name of keystore JCE provider, default is “BC” |
keystore.type | Keystore type, default is “PKCS12” |
keystore.file | Keystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token. |
keystore.password | Keystore password – can be optionally encrypted. |
keystore.privkeyalias | Alias name of the private key, or blank to use the first private key found in the keystore. |
keystore.certalias | Alias name of the certificate, or blank to use the first available certificate found in the keystore. |
idp_metadata_XML_ | Template for IDP federation metadata used to identify our capabilities for this service provider. |
| saml.response.script | Script executed that has the option to modify the SAML response before it is signed |
You will need to specify a keystore containing a private key and public certificate to sign the SAML token with.
...
Name | Value |
websso.identityProviders | Lists the identity providers available, separated by semicolon. |
|
|
signerCertificates | Lists one or more certificates that the SAML token issued by the identityprovider can be signed with. The entry most point to files containing certificates in either .cer og .p7b format. |
useSubjectAsUserid | If true, and if subject is sent by IDP, the subject will be used as user ID by Ceptor. |
useridAttributeName | If configured, and a SAML attribute is sent with this name, then the value of the attribute will be used as userid. |
usernameAttributeName | If not empty, the value of the corresponding SAML attribute will be used as user name. |
roleAttributeName | If specified, any values defined for this attribute name will be added as user groups / roles in the Ceptor session for the authenticated user. |
rolePattern | Only roles matching this pattern will be added as user groups – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it. |
attributesToStoreInSession | Pattern matching the attributes from the SAML ticket that will be stored in the session as state variables. Attributes with multiple values will be concatenated and stored as a single value separated by semicolon |
url | URL to ADFS, usually https://<hostname>/adfs/ls/ – allows the login application to redirect to ask for a SAML token wrapped in WS-Federation/WS-Trust. |
| expectedAudiencePattern | When verifying a SAML response from an identity provider, this is the pattern that the audience must match - wildcards and | are supported to specify multiple valid entries. |
displayName | Display name for this Identity Provider – can be used by login application to let user select which identity provider to use, if that is required. |
identifier | Identifier to specify on the redirect URL to the IDP – identifies this particular application as the Relaying Party – must match the configuration in ADFS. |
knownIPs | Can be used by the login application to automatically select an identity provider to use based on the source IP address of the client. |
acceptedServerCertificates | List of files containing valid CA/SSL server certificates, if the default trusted cacerts list in the JRE is not enough. |
verifyServerCert | Set to false to disable verification of SSL server certificate |
verifySSLHostname | Set to false to disable hostname verification – if true, hostname must match the name in the certificate. |
| metadataurl | The URL to fetch federation metadata from - the list of accepted server certificates are then retrieved from this URL. |
| metadata_XML_ | Instead of loading the metadata online from the URL above, it can be specified here as a string. |
| encryptioncertificate | Specify a certificate to be used for encryption - if metadata contains encryption certificate, it will used. |
keystore.provider | Name of keystore JCE provider, default is “BC” |
| keystore.type | Keystore type, default is “PKCS12” |
| keystore.file | Keystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token. |
| keystore.password | Keystore password – can be optionally encrypted. |
| keystore.privkeyalias | Alias name of the private key, or blank to use the first private key found in the keystore. |
| keystore.certalias | Alias name of the certificate, or blank to use the first available certificate found in the keystore. |
| sp_metadata_XML_ | Template for serviceprovider metadata, which can be retrieved online |
| samlrequest_XML_ | Template for SAML request |
...
| Info |
|---|
Note that with the Ceptor Gateway you do not need a separate application, here you can use the WebSSO Authentication plugin instead. This will do the work that with the dispatcher requires a separate login application. |
SAML Response Scripts
In order to be able to modify all aspects of a SAML response before it is signed, it is possible to specify a SAML Response script that is executed immediately after generating the SAML response string, but before it is signed.
It can optionally return a modified string containing a customized SAML response, which will then be signed and returned.
When the script is called, it has these variables available:
- samlversion - 1 or 2 depending on which SAML type response is being generated
- context - Script context, with additional attributes about the user context available - see below
- input - SAML Response about to be created - can be modified and returned.
The context looks like the following:
| Code Block | ||||
|---|---|---|---|---|
| ||||
public class ScriptContext {
/** Session Controller */
public PTSServer sessionController;
/** Configuration for session controller and authentication plugins */
public Properties configuration;
/** Session we are generating SAML responses for */
public User session;
/** SAML request as string, or null if no request present */
public String samlRequest;
/** Parsed SAML Request, or null if not present */
public ADFSSamlRequest parsedSaml;
/** Service Provider entry */
public ADFSSamlSSOAuthPlugin.ServiceProviderEntry sp;
} |
The context.parsedSaml attribute above has these values available:
| Code Block |
|---|
public static class ADFSSamlRequest {
public boolean saml2;
public String issueInstant;
public String requestID;
// SAML 2
public String issuer;
public String destination;
} |