Versions Compared

Old Version 15

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version 16

changes.mady.by.user Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Here, you can see how to configure Ceptor to interact with Microsoft Active Directory Federation Services (ADFS) or other WebSSO capable products, supporting Identity Federation using either WS-Federation or SAML protocols.

Warning

This method of defining SAML Identity Providers and Service Providers is deprecated (although still supported and functional) - instead, refer to Federation - SAML / WebSSO for an easier method.


Using Ceptor as an Identity Provider

...

Name

Value

websso.serviceProviders

Lists the service providers available, separated by semicolon.


The following all start with websso.sp.<sp>.


<sp> is replaced with the name of the service provider, as configured in websso.identityProviders

url

URL to ADFS, usually https://<hostname>/adfs/ls/ – this is the URL that the SAML token will be sent to, and the URL that will be present as recipient within the SAML ticket

returnurlOverride the url if you need to send the SAML response to a different URL than the recipient URL within the SAML response (defaults to url).

displayName

Display name for this Service Provider – can be used by login application to let user select which identity provider to use, if that is required.

issuer

Name of SAML Ticket Issuer – visible to the receiving application, default is Ceptor

rolePattern

Only groups/roles matching this pattern will be added into the SAML token – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it.

attributes

List of SAML attributes to add to the SAML ticket.

List of name=key pairs separated by semicolon.

The key will be taken from the session state variables, so you can place anything in the session that can then be included in the SAML ticket.

This configuration parameter follows the same syntax as the configuration entry “customHttpHeaders” for the dispatcher, and you can use

Please see the entry in the reference about “customHttpHeaders” for details.

Default is:
upn=userid;name=username;role=groups;email=email1

keystore.provider

Name of keystore JCE provider, default is “BC”

keystore.type

Keystore type, default is “PKCS12”

keystore.file

Keystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token.

keystore.password

Keystore password – can be optionally encrypted.

keystore.privkeyalias

Alias name of the private key, or blank to use the first private key found in the keystore.

keystore.certalias

Alias name of the certificate, or blank to use the first available certificate found in the keystore.

idp_metadata_XML_

Template for IDP federation metadata used to identify our capabilities for this service provider.

saml.response.scriptScript executed that has the option to modify the SAML response before it is signed

...