Here, you can see how to configure Ceptor to interact with Microsoft Active Directory Federation Services (ADFS) or other WebSSO capable products, supporting Identity Federation using either WS-Federation or SAML protocols.
Warning |
---|
This method of defining SAML Identity Providers and Service Providers is deprecated (although still supported and functional) - instead, refer to Federation - SAML / WebSSO for an easier method. |
Using Ceptor as an Identity Provider
...
Name | Value |
websso.serviceProviders | Lists the service providers available, separated by semicolon. |
|
|
url | URL to ADFS, usually https://<hostname>/adfs/ls/ – this is the URL that the SAML token will be sent to, and the URL that will be present as recipient within the SAML ticket |
returnurl | Override the url if you need to send the SAML response to a different URL than the recipient URL within the SAML response (defaults to url). |
displayName | Display name for this Service Provider – can be used by login application to let user select which identity provider to use, if that is required. |
issuer | Name of SAML Ticket Issuer – visible to the receiving application, default is Ceptor |
rolePattern | Only groups/roles matching this pattern will be added into the SAML token – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it. |
attributes | List of SAML attributes to add to the SAML ticket. List of name=key pairs separated by semicolon. The key will be taken from the session state variables, so you can place anything in the session that can then be included in the SAML ticket. This configuration parameter follows the same syntax as the configuration entry “customHttpHeaders” for the dispatcher, and you can use Please see the entry in the reference about “customHttpHeaders” for details. Default is: |
keystore.provider | Name of keystore JCE provider, default is “BC” |
keystore.type | Keystore type, default is “PKCS12” |
keystore.file | Keystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token. |
keystore.password | Keystore password – can be optionally encrypted. |
keystore.privkeyalias | Alias name of the private key, or blank to use the first private key found in the keystore. |
keystore.certalias | Alias name of the certificate, or blank to use the first available certificate found in the keystore. |
idp_metadata_XML_ | Template for IDP federation metadata used to identify our capabilities for this service provider. |
saml.response.script | Script executed that has the option to modify the SAML response before it is signed |
...