Here, you can specify general settings for SAML federations
This is kept in the root of the federations JSON object.
Maximum acceptable time difference in minutes - allows for clock skew between issuer and service provider.
Default: 2
JSON key is websso.samlsigning.maxtimedifference.minutes
List separated by semicolon - list of names to use for authention methods in SAML document - e.g. 6=LDAP;42=NemID;43=SMS OTP
- If not mapped to another name, the value for authmethod attribute/claim is the plugin ID of the authentication method used to authenticate the user.
Default: None
JSON key is websso.samlsigning.maxtimedifference.minutes
This is kept in a JSON object called proxy. Note that this configuration is shared with the OpenID Connect / JWT Federation configuration.
Check to enable HTTP proxy.
Default: false
JSON key is enabled
Maximum acceptable time difference in minutes - allows for clock skew between issuer and service provider.
Default: 2
JSON key is host
TCP Port number of proxy server
Default: 8080
JSON key is port
Userid to authenticate to proxy server.
Default: None
JSON key is user
Password needed to authenticate to proxy server - can be encrypted, see Encrypting or Obfuscating Passwords
Default: None
JSON key is password
Hostname matching this pattern will not be proxied
Default: None
JSON key is noproxyfor
This is kept in the federation root as a JSON array called saml.serviceproviders.
SAML / WebSSO Service Providers - any service provider you wish to issue SAML tickets to should be configured here.
Default: None
JSON key is saml.serviceproviders - each service provider is a separate JSON object within this array.
Each SAML Service provider is a separate JSON object within the JSON Array saml.serviceproviders
Unique name of SAML Service Provider - this is the name that this provider is known under as referenced from Ceptor Gateway in the SAML/ADFS/WebSSO Authentication section -see the property "Service Provider Name"
Default: None
JSON key is name
Display name - this name can be used in presentation to users if they need to choose between providers.
Default: None
JSON key is display.name
Here, you can enter a description of the service provider - the description itself is not actively used anywhere, so it is just for informational purposes.
Default: None
JSON key is description
Service Provider URL - this is the URL that the login response ticket is sent to.
Default: None
JSON key is url
Issuer name - this name is seen by the Service Provider as the issuer of the SAML ticket.
Default: Ceptor
JSON key is issuer
Audience - if not set, defaults to URL. This will be added as audience in the SAML Response ticket.
Default: URL
JSON key is audience
List of valid identifiers for this service provider.
When a SAML Request is received, it contains an issuer - this issuer is matched up against the defined identifiers, and the first configured service provider that matches, if any is picked. Note that multiple identifiers can be configured.
Default: None
JSON key is identifiers (containing a JSON Array of strings)
When adding the role/groups attribute to a SAML ticket, only groups matching this pattern will be included.
Refer to description of wildcards/regex patterns here: Locations - Conditions |
Default: *
JSON key is role.pattern
Attributes to send as claims to Service Provider.
See SAML / JWT Attributes / Claims for information of content.
Default: None
JSON key is attributes - must be a JSON Array of Strings, each in format name=value
This contains the template for federation metadata.
In this template, you can define the SAML 2.0 Identity Provider Metadata Template - see here: Ceptor Gateway - Authentication - SAML/ADFS/WebSSO how to retrieve this metadata at runtime - using this template make it possible to provide an URL where the service provider can periodically retrieve the SAML Identity Provider Federation metadata from.
This metadata contains information about certificates needed to verify the signature, the macros %{signcert} and %{encryptcert} are replaced with the actual certificates loaded from the keystores.
Do not forget to adjust the information within to match your scenario.
You can find all the details you never wanted to know about federation metadata here: https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf or a simplified overview here: https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf For most integrations, the example will be enough for the Service Provider to retrieve fields he needs, mainly the certificates. |
Default: None
JSON key is identityprovider.metadata
In order to be able to modify all aspects of a SAML response before it is signed, it is possible to specify a SAML Response script that is executed immediately after generating the SAML response string, but before it is signed.
It can optionally return a modified string containing a customized SAML response, which will then be signed and returned.
The documentation in Ceptor Console when editing the script contains an example script written in Groovy that adds an additional Attribute to the SAML response before it is signed.
When the script is called, it has these variables available:
The context looks like the following:
public class ScriptContext { /** Session Controller */ public PTSServer sessionController; /** Configuration for session controller and authentication plugins */ public Properties configuration; /** Session we are generating SAML responses for */ public User session; /** SAML request as string, or null if no request present */ public String samlRequest; /** Parsed SAML Request, or null if not present */ public ADFSSamlRequest parsedSaml; /** Service Provider entry */ public ADFSSamlSSOAuthPlugin.ServiceProviderEntry sp; } |
The context.parsedSaml attribute above has these values available:
public static class ADFSSamlRequest { public boolean saml2; public String issueInstant; public String requestID; // SAML 2 public String issuer; public String destination; } |
Default: None
JSON key is saml.response.script
The keystore is configured in a JSON object called keystore within the service provider's JSON object.
Name of JCE provider - if left blank, platform default is used. Can be set to e.g. Luna to support hardware crypto providers assuming Luna JCE provider is installed.
Default: None
JSON key is provider
Keystore type, usually PKCS12 or JKS
Default: PKCS12
JSON key is type
Name of file to load keystore from - note that some keystores, e.g. Luna does not have a file
Default: None
JSON key is file
Password for the keystore - can be encrypted, see Encrypting or Obfuscating Passwords
Default: None
JSON key is password
This is only needed if you have specific aliases in your keystore which have passwords that differ from the main keystore password - it allows you to specify a password for each alias specifically.
Default: None
JSON key is password.per.alias - this is a JSON Array with the format alias=password
If provided, only the private key with the specified alias will be loaded.
Default: None
JSON key is alias.privkey
If provided, only the certificate with the specified alias will be loaded
Default: None
JSON key is alias.cert
Allows you to provide the private key as an RSA key in PKCS#8 format by pasting it directly.
Default: None
JSON key is privatekey
Allows you to provide the certificate as Base64 encoded DER by pasting it directly instead of loading it from a keystore.
Default: None
JSON key is certificate
See also Keystore configuration for additional details of configuring keystores when using federation. |
This is kept in the federation root as a JSON array called saml.identityproviders.
SAML / WebSSO Identity Providers - any identity provider you wish to be able to receive SAML Reponses from must be configured here.
Default: None
JSON key is saml.identityproviders - each identity provider is a separate JSON object within this array.
Unique name of SAML Identity Provider.
This is the name that this provider is known under as referenced from Ceptor Gateway in the SAML/ADFS/WebSSO Authentication section -see the property "Identity Provider Name"
Default: None
JSON key is name
Display name - this name can be used in presentation to users if they need to choose between providers.
Default: None
JSON key is display.name
Here, you can enter a description of the identity provider - the description itself is not actively used anywhere, so it is just for informational purposes.
Default: None
JSON key is description
Enter SAML Identifier - defaults to Identity Provider Name if not entered.
This identifier is used in the wtrealm=
parameter when redirecting to the identity provider to sign in.
Default: Identity Provider Name
JSON key is identifier
If specified, the audience in the received SAML response must match this pattern - wildcards can be used, and if not set, audience validation is not done.
Default: None
JSON key is expected.audience.pattern
If true, subject from SAML response, if present, is used as userid.
Default: None
JSON key is subject.as.userid
Semicolon separated list of attribute names - the first match will be used as userid if such an attribute is provided in the SAML response.
Default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn;upn
JSON key is userid.attribute.name
Semicolon separated list of attribute names - the first match will be used as username if such an attribute is provided in the SAML response.
Default: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name;name
JSON key is username.attribute.name
Semicolon separated list of attribute names - the first match will be used as user groups if such an attribute is provided in the SAML response.
Default: http://schemas.microsoft.com/ws/2008/06/identity/claims/role;role
JSON key is role.attribute.name
Provided user groups must match this pattern, or they are ignored.
Default: None
JSON key is role.pattern
Pattern for deciding which attributes to copy from the SAML response into the session.
Default: *
JSON key is attributes.to.store.in.session
URL to identity provider.
If Ceptor Gateway redirects the user to the identity provider to ask for signin, it will use this URL, but add these query parameters to it:?wa=wsignin1.0&id=passive&wtrealm=<SAML identifier>&wreply=<Return URL>&wct=<Timestamp>
Default: None
JSON key is url
List of known IP adresses (separate with semicolon). This list can be used by applications or gateway to automatically redirect to specific Identity Providers if the client uses a matching IP address.
Default: None
JSON key is known.ip.list
SAML2 Identity Provider Federation Metadata - if specified, it is retrieved online from the Identity Provider - the keys/certificates present in the metadata will be used for validating the SAML response instead of having to configure certificates manually.
Default: None
JSON key is metadata.url
Number of minutes between refreshing the metadata from the metdata URL if specified.
Default: 120
JSON key is metadata.update.interval.minutes
If metadata cannot be retrieved from online, it can instead be pasted here.
Default: None
JSON key is metadata
Template for providing Service Provider Metadata to Identity Provider.
%{signcert} will be replaced with the signing certificate, and %{encryptcert} will be replaced with the encryption certificate.
The encryption certificate is optionally loaded from the Keystore configuration.
Default: None
JSON key is serviceprovider.metadata
This is a template for how the generated SAML Request should look - remember to modify URLs to match your scenario.
Default: None
JSON key is samlrequest
The keystore is configured in a JSON object called keystore within the identity provider's JSON object.
Name of JCE provider - if left blank, platform default is used. Can be set to e.g. Luna to support hardware crypto providers assuming Luna JCE provider is installed.
Default: None
JSON key is provider
Keystore type, usually PKCS12 or JKS
Default: PKCS12
JSON key is type
Name of file to load keystore from - note that some keystores, e.g. Luna does not have a file
Default: None
JSON key is file
Password for the keystore - can be encrypted, see Encrypting or Obfuscating Passwords
Default: None
JSON key is password
This is only needed if you have specific aliases in your keystore which have passwords that differ from the main keystore password - it allows you to specify a password for each alias specifically.
Default: None
JSON key is password.per.alias - this is a JSON Array with the format alias=password
If provided, only the private key with the specified alias will be loaded.
Default: None
JSON key is alias.privkey
If provided, only the certificate with the specified alias will be loaded
Default: None
JSON key is alias.cert
Allows you to provide the private key as an RSA key in PKCS#8 format by pasting it directly.
Default: None
JSON key is privatekey
Allows you to provide the certificate as Base64 encoded DER by pasting it directly instead of loading it from a keystore.
Default: None
JSON key is certificate
See also Keystore configuration for additional details of configuring keystores when using federation. |
This configuration is stored in the JSON Object signer.certificates inside the identity provider JSON.
Name of JCE provider - if left blank, platform default is used. Can be set to e.g. Luna to support hardware crypto providers assuming Luna JCE provider is installed.
Default: None
JSON key is provider
Provide a list of filenames or certificates directly within the configuration.
This allows you to specify additional trusted signer certificates for use when validating signed SAML Response - note that if you already are loading federation metadata from online, or have it pasted, these certificates configured here are in addition to the ones from the metadata.
Default: None
JSON key is certificates - which is a JSON Array of strings, each containing a filename of a certificate in .cer (binary or base64 encoded), .der or .p7b format or the certificate itself, if starting with -----BEGIN CERTIFICATE-----
See also Keystore configuration for additional details of configuring keystores when using federation. |
This configuration is stored in the JSON Object encryption.certificates inside the identity provider JSON.
Name of JCE provider - if left blank, platform default is used. Can be set to e.g. Luna to support hardware crypto providers assuming Luna JCE provider is installed.
Default: None
JSON key is provider
If you wish to specify an encryption certificate for use when encrypting a SAML request, you can do so here - normally you would use federation metadata for this, but it can be specified manually.
Default: None
JSON key is certificate
This configuration is stored in the JSON Object ssl inside the identity provider JSON.
Uncheck to disable SSL server certificate validation - if checked, SSL server certificates must either match installed root certificates in the JVM, or one of the additionally specified certificates.
Default: true
JSON key is verify.server.cert
Uncheck to disable SSL hostname verification - if checked, the SSL hostname is matched up against the SSL server certificate.
Default: true
JSON key is verify.hostname
Name of JCE provider - if left blank, platform default is used. Can be set to e.g. Luna to support hardware crypto providers assuming Luna JCE provider is installed.
Default: None
JSON key is provider - inside accepted.certificates JSON object within the ssl object.
Provide a list of filenames or certificates directly within the configuration.
This allows you to specify additional SSL server issuer trust certificates certificates for use when validating signed SSL server certificate when retrieving metadata from remote
Default: None
JSON key is certificates- inside accepted.certificates JSON object within the ssl object.