Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
<property name="websso.serviceProviders" value="adfs2" description="Semicolon separated list of identity providers"/>
<property name="websso.sp.adfs2.attributes" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username;http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1" description="Specify which attributes to add to the SAML token"/>
<property name="websso.sp.adfs2.displayName" value="AssecoCeptor Test ADFS2" description="Display name of Service Provider"/>
<property name="websso.sp.adfs2.identifiers" value="https://www.pptest.dk:4443/adfs;http://adfs2.itptest.dk/adfs/services/trust" description="Semicolon separated list of identifiers"/>
<property name="websso.sp.adfs2.issuer" value="https://www.pptest.dk:4443/adfs" description="Issuer name to tell service provider"/>
<property name="websso.sp.adfs2.keystore.certalias" value="" description="Alias of certificate within keystore"/>
<property name="websso.sp.adfs2.keystore.file" value="${portalprotect.home}/config/x509/issuer/certissuer.pfx" description="Name of keystore containing private key and certificate to use when signing SAML"/>
<property name="websso.sp.adfs2.keystore.password" value="password" description="Password for keystore"/>
<property name="websso.sp.adfs2.keystore.privkeyalias" value="" description="Alias of private key within keystore"/>
<property name="websso.sp.adfs2.keystore.provider" value="BC" description="Name of JCE provider"/>
<property name="websso.sp.adfs2.keystore.type" value="PKCS12" description="Keystore type"/>
<property name="websso.sp.adfs2.rolePattern" value="*" description="Only roles matching this pattern will be sent to the service provider"/>
<property name="websso.sp.adfs2.url" value="https://adfs2.itptest.dk/adfs/ls/" description="URL of ADFS service provider"/>
<property name="websso.sp.adfs2.idp_metadata_XML_" description="Metadata template for identity provider metadata">
<![CDATA[<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="%{validuntil}" cacheDuration="PT1440M" entityID="https://www.pptest.dk:4443/adfs">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>%{signcert}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>%{encryptcert}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.my.server/logoff"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.my.server"/>
  </md:IDPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en-US">orgname</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en-US">orgdispname</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en-US">http://my.org</md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical">
    <md:GivenName>techname</md:GivenName>
    <md:EmailAddress>tech@mail.dk</md:EmailAddress>
  </md:ContactPerson>
  <md:ContactPerson contactType="support">
    <md:GivenName>support name</md:GivenName>
    <md:EmailAddress>support@mail.dk</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>
]]></property>

...

Code Block
<group name="websso" description="SAML Web SSO - e.g. with Microsoft ADFS">
  <property name="websso.identityProviders" value="local" description="Semicolon separated list of identity providers"/>
  <property name="websso.idp.local.attributesToStoreInSession" value="*" description="Any SAML attributes matching this pattern will be added to the session"/>
  <property name="websso.idp.local.displayName" value="Local AssecoCeptor Test" description="Display name of Identity Provider"/>
  <property name="websso.idp.local.identifier" value="https://www.portalprotect.dk/adfs" description="Identifier which identifies us to the Identity Provider"/>
  <property name="websso.idp.local.keystore.certalias" value="" description="Alias of certificate within keystore"/>
  <property name="websso.idp.local.keystore.file" value="${portalprotect.home}/config/x509/issuer/certissuer.pfx" description="Name of keystore containing private key and certificate to use when signing or decrypting SAML"/>
  <property name="websso.idp.local.keystore.password" value="password" description="Password for keystore"/>
  <property name="websso.idp.local.keystore.privkeyalias" value="" description="Alias of private key within keystore"/>
  <property name="websso.idp.local.keystore.provider" value="BC" description="Name of JCE provider"/>
  <property name="websso.idp.local.keystore.type" value="PKCS12" description="Keystore type"/>
  <property name="websso.idp.local.knownIPs" value="192.168.200.*|127.0.0.1" description="Expression matching known IPs for this provider"/>
  <property name="websso.idp.local.metadataurlXXXX" value="https://192.168.1.142/FederationMetadata/2007-06/FederationMetadata.xml" description=""/>
  <property name="websso.idp.local.roleAttributeName" value="role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role" description="SAML attribute to use for user groups/roles"/>
  <property name="websso.idp.local.rolePattern" value="*" description="Only roles matching this pattern will be added to the session"/>
  <property name="websso.idp.local.samlrequest_XML_" description="SAML2 request template - used when generating SAML request to send to identity provider">
<![CDATA[<samlp:AuthnRequest ID="%{uuid}"
	Version="2.0" IssueInstant="%{issueinstant}" Destination="https://www.pptest.dk:4443/adfs"
	Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
	<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.portalprotect.dk/adfs</Issuer>
	<samlp:NameIDPolicy
		Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		AllowCreate="true" />
</samlp:AuthnRequest>]]></property>
			<property name="websso.idp.local.signerCertificates" value="${portalprotect.home}/config/saml/local.cer" description="List of trusted tokensigning certificates for this provider"/>
			<property name="websso.idp.local.sp_metadata_XML_" description="SAML ServiceProvider Metadata - can be generated and imported at the identity provider">
<![CDATA[<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
					 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     validUntil="%{validuntil}"
                     cacheDuration="PT1440M"
                     entityID="317190f9-efec-4307-beb9-7f8380a8ae16">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>%{signcert}</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:KeyDescriptor use="encryption">
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>%{encryptcert}</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://my.server.name/logout" />
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                Location="https://my.server.name/logout" />
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://my.server.name/adfs"
                                     index="1" />
		<md:AttributeConsumingService index="0" isDefault="true">
		  <md:ServiceName xml:lang="da">SP</md:ServiceName>
		  <md:RequestedAttribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />
		  <md:RequestedAttribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />
		</md:AttributeConsumingService>
    </md:SPSSODescriptor>
    <md:Organization>
       <md:OrganizationName xml:lang="en-US">My organisation</md:OrganizationName>
       <md:OrganizationDisplayName xml:lang="en-US">My org</md:OrganizationDisplayName>
       <md:OrganizationURL xml:lang="en-US">https://my.server.name</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="technical">
        <md:GivenName>Techcontact</md:GivenName>
        <md:EmailAddress>tech@mail.dk</md:EmailAddress>
    </md:ContactPerson>
    <md:ContactPerson contactType="support">
        <md:GivenName>support</md:GivenName>
        <md:EmailAddress>support@mail.dk</md:EmailAddress>
    </md:ContactPerson>
</md:EntityDescriptor>
]]></property>
  <property name="websso.idp.local.url" value="https://192.168.1.142/adfs/ls" description="URL of ADFS ws-federation token issuer"/>
  <property name="websso.idp.local.useSubjectAsUserid" value="true" description="If true, and if subject is present in SAML; it is used as userid"/>
  <property name="websso.idp.local.useridAttributeName" value="upn;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" description="SAML attribute to use for userid"/>
  <property name="websso.idp.local.usernameAttributeName" value="name;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" description="SAML attribute to use for userid"/>
  <property name="websso.idp.local.verifySSLHostname" value="false" description="Set to false to skip SSL server hostname validation"/>
  <property name="websso.idp.local.verifyServerCert" value="false" description="Set to false to skip SSL server certificate validation"/>
</group>

...