...
Code Block |
---|
<property name="websso.serviceProviders" value="adfs2" description="Semicolon separated list of identity providers"/> <property name="websso.sp.adfs2.attributes" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username;http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1" description="Specify which attributes to add to the SAML token"/> <property name="websso.sp.adfs2.displayName" value="AssecoCeptor Test ADFS2" description="Display name of Service Provider"/> <property name="websso.sp.adfs2.identifiers" value="https://www.pptest.dk:4443/adfs;http://adfs2.itptest.dk/adfs/services/trust" description="Semicolon separated list of identifiers"/> <property name="websso.sp.adfs2.issuer" value="https://www.pptest.dk:4443/adfs" description="Issuer name to tell service provider"/> <property name="websso.sp.adfs2.keystore.certalias" value="" description="Alias of certificate within keystore"/> <property name="websso.sp.adfs2.keystore.file" value="${portalprotect.home}/config/x509/issuer/certissuer.pfx" description="Name of keystore containing private key and certificate to use when signing SAML"/> <property name="websso.sp.adfs2.keystore.password" value="password" description="Password for keystore"/> <property name="websso.sp.adfs2.keystore.privkeyalias" value="" description="Alias of private key within keystore"/> <property name="websso.sp.adfs2.keystore.provider" value="BC" description="Name of JCE provider"/> <property name="websso.sp.adfs2.keystore.type" value="PKCS12" description="Keystore type"/> <property name="websso.sp.adfs2.rolePattern" value="*" description="Only roles matching this pattern will be sent to the service provider"/> <property name="websso.sp.adfs2.url" value="https://adfs2.itptest.dk/adfs/ls/" description="URL of ADFS service provider"/> <property name="websso.sp.adfs2.idp_metadata_XML_" description="Metadata template for identity provider metadata"> <![CDATA[<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="%{validuntil}" cacheDuration="PT1440M" entityID="https://www.pptest.dk:4443/adfs"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>%{signcert}</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>%{encryptcert}</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.my.server/logoff"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.my.server"/> </md:IDPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en-US">orgname</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en-US">orgdispname</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en-US">http://my.org</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>techname</md:GivenName> <md:EmailAddress>tech@mail.dk</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="support"> <md:GivenName>support name</md:GivenName> <md:EmailAddress>support@mail.dk</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor> ]]></property> |
...
Code Block |
---|
<group name="websso" description="SAML Web SSO - e.g. with Microsoft ADFS"> <property name="websso.identityProviders" value="local" description="Semicolon separated list of identity providers"/> <property name="websso.idp.local.attributesToStoreInSession" value="*" description="Any SAML attributes matching this pattern will be added to the session"/> <property name="websso.idp.local.displayName" value="Local AssecoCeptor Test" description="Display name of Identity Provider"/> <property name="websso.idp.local.identifier" value="https://www.portalprotect.dk/adfs" description="Identifier which identifies us to the Identity Provider"/> <property name="websso.idp.local.keystore.certalias" value="" description="Alias of certificate within keystore"/> <property name="websso.idp.local.keystore.file" value="${portalprotect.home}/config/x509/issuer/certissuer.pfx" description="Name of keystore containing private key and certificate to use when signing or decrypting SAML"/> <property name="websso.idp.local.keystore.password" value="password" description="Password for keystore"/> <property name="websso.idp.local.keystore.privkeyalias" value="" description="Alias of private key within keystore"/> <property name="websso.idp.local.keystore.provider" value="BC" description="Name of JCE provider"/> <property name="websso.idp.local.keystore.type" value="PKCS12" description="Keystore type"/> <property name="websso.idp.local.knownIPs" value="192.168.200.*|127.0.0.1" description="Expression matching known IPs for this provider"/> <property name="websso.idp.local.metadataurlXXXX" value="https://192.168.1.142/FederationMetadata/2007-06/FederationMetadata.xml" description=""/> <property name="websso.idp.local.roleAttributeName" value="role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role" description="SAML attribute to use for user groups/roles"/> <property name="websso.idp.local.rolePattern" value="*" description="Only roles matching this pattern will be added to the session"/> <property name="websso.idp.local.samlrequest_XML_" description="SAML2 request template - used when generating SAML request to send to identity provider"> <![CDATA[<samlp:AuthnRequest ID="%{uuid}" Version="2.0" IssueInstant="%{issueinstant}" Destination="https://www.pptest.dk:4443/adfs" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.portalprotect.dk/adfs</Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /> </samlp:AuthnRequest>]]></property> <property name="websso.idp.local.signerCertificates" value="${portalprotect.home}/config/saml/local.cer" description="List of trusted tokensigning certificates for this provider"/> <property name="websso.idp.local.sp_metadata_XML_" description="SAML ServiceProvider Metadata - can be generated and imported at the identity provider"> <![CDATA[<?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" validUntil="%{validuntil}" cacheDuration="PT1440M" entityID="317190f9-efec-4307-beb9-7f8380a8ae16"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>%{signcert}</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>%{encryptcert}</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://my.server.name/logout" /> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.server.name/logout" /> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.server.name/adfs" index="1" /> <md:AttributeConsumingService index="0" isDefault="true"> <md:ServiceName xml:lang="da">SP</md:ServiceName> <md:RequestedAttribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" /> <md:RequestedAttribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" /> </md:AttributeConsumingService> </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en-US">My organisation</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en-US">My org</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en-US">https://my.server.name</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>Techcontact</md:GivenName> <md:EmailAddress>tech@mail.dk</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="support"> <md:GivenName>support</md:GivenName> <md:EmailAddress>support@mail.dk</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor> ]]></property> <property name="websso.idp.local.url" value="https://192.168.1.142/adfs/ls" description="URL of ADFS ws-federation token issuer"/> <property name="websso.idp.local.useSubjectAsUserid" value="true" description="If true, and if subject is present in SAML; it is used as userid"/> <property name="websso.idp.local.useridAttributeName" value="upn;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" description="SAML attribute to use for userid"/> <property name="websso.idp.local.usernameAttributeName" value="name;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" description="SAML attribute to use for userid"/> <property name="websso.idp.local.verifySSLHostname" value="false" description="Set to false to skip SSL server hostname validation"/> <property name="websso.idp.local.verifyServerCert" value="false" description="Set to false to skip SSL server certificate validation"/> </group> |
...