Here, you can specify general settings for SAML federations

Federations

SAML Configuration

This is kept in the root of the federations JSON object.

Max Time Difference

Maximum acceptable time difference in minutes - allows for clock skew between issuer and service provider.

Default: 2
JSON key is websso.samlsigning.maxtimedifference.minutes

Authentication Methods

List separated by semicolon - list of names to use for authention methods in SAML document - e.g. 6=LDAP;42=NemID;43=SMS OTP - If not mapped to another name, the value for authmethod attribute/claim is the plugin ID of the authentication method used to authenticate the user.

Default: None
JSON key is websso.samlsigning.maxtimedifference.minutes

HTTP Proxy configuration

This is kept in a JSON object called proxy. Note that this configuration is shared with the OpenID Connect / JWT Federation configuration.

Enabled

Check to enable HTTP proxy.

Default: false
JSON key is enabled

Hostname

Maximum acceptable time difference in minutes - allows for clock skew between issuer and service provider.

Default: 2
JSON key is host

Port

TCP Port number of proxy server

Default: 8080
JSON key is port

Userid

Userid to authenticate to proxy server.

Default: None
JSON key is user

Password

Password needed to authenticate to proxy server - can be encrypted, see Encrypting or Obfuscating Passwords

Default: None
JSON key is password

No Proxy For

Hostname matching this pattern will not be proxied

Default: None
JSON key is noproxyfor

SAML Service Providers

SAML / WebSSO Service Provider configuration

This is kept in the federation root as a JSON array called saml.serviceproviders.

Service Providers

SAML / WebSSO Service Providers - any service provider you wish to issue SAML tickets to should be configured here.

Default: None
JSON key is saml.serviceproviders - each service provider is a separate JSON object within this array.

SAML / WebSSO Service Provider

Each SAML Service provider is a separate JSON object within the JSON Array saml.serviceproviders

SAML / WebSSO Service Provider

Name

Unique name of SAML Service Provider - this is the name that this provider is known under as referenced from Ceptor Gateway in the SAML/ADFS/WebSSO Authentication section -see the property "Service Provider Name"

Default: None
JSON key is name

Display Name

Display name - this name can be used in presentation to users if they need to choose between providers.

Default: None
JSON key is display.name

Description

Here, you can enter a description of the service provider - the description itself is not actively used anywhere, so it is just for informational purposes.

Default: None
JSON key is description

URL

Service Provider URL - this is the URL that the login response ticket is sent to.

Default: None
JSON key is url

Issuer

Issuer name - this name is seen by the Service Provider as the issuer of the SAML ticket.

Default: Ceptor
JSON key is issuer

Audience

Audience - if not set, defaults to URL. This will be added as audience in the SAML Response ticket.

Default: URL
JSON key is audience

Identifiers

List of valid identifiers for this service provider.

When a SAML Request is received, it contains an issuer - this issuer is matched up against the defined identifiers, and the first configured service provider that matches, if any is picked. Note that multiple identifiers can be configured.

Default: None
JSON key is identifiers (containing a JSON Array of strings)

Role Pattern

When adding the role/groups attribute to a SAML ticket, only groups matching this pattern will be included.

Refer to description of wildcards/regex patterns here: Locations - Conditions

Default: *
JSON key is role.pattern

Attributes

Attributes to send as claims to Service Provider.

See SAML / JWT Attributes / Claims for information of content.

Default: None
JSON key is attributes - must be a JSON Array of Strings, each in format name=value

IDP Metadata Template

This contains the template for federation metadata.

In this template, you can define the SAML 2.0 Identity Provider Metadata Template - see here: Ceptor Gateway - Authentication - SAML/ADFS/WebSSO how to retrieve this metadata at runtime - using this template make it possible to provide an URL where the service provider can periodically retrieve the SAML Identity Provider Federation metadata from.

This metadata contains information about certificates needed to verify the signature, the macros %{signcert} and %{encryptcert} are replaced with the actual certificates loaded from the keystores.

Do not forget to adjust the information within to match your scenario.

You can find all the details you never wanted to know about federation metadata here: https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf or a simplified overview here: https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf

For most integrations, the example will be enough for the Service Provider to retrieve fields he needs, mainly the certificates.

Default: None
JSON key is identityprovider.metadata

SAML Response Script

In order to be able to modify all aspects of a SAML response before it is signed, it is possible to specify a SAML Response script that is executed immediately after generating the SAML response string, but before it is signed.

It can optionally return a modified string containing a customized SAML response, which will then be signed and returned.

The documentation in Ceptor Console when editing the script contains an example script written in Groovy that adds an additional Attribute to the SAML response before it is signed.

When the script is called, it has these variables available:

samlversion - 1 or 2 depending on which SAML type response is being generated
context - Script context, with additional attributes about the user context available - see below
input - SAML Response about to be created - can be modified and returned.

The context looks like the following:

Context

public class ScriptContext {
	/** Session Controller */
	public PTSServer sessionController;

	/** Configuration for session controller and authentication plugins */
	public Properties configuration;

	/** Session we are generating SAML responses for */
	public User session;

	/** SAML request as string, or null if no request present */
	public String samlRequest;

	/** Parsed SAML Request, or null if not present */
	public ADFSSamlRequest parsedSaml;

	/** Service Provider entry */
	public ADFSSamlSSOAuthPlugin.ServiceProviderEntry sp;
}

The context.parsedSaml attribute above has these values available:

public static class ADFSSamlRequest {
	public boolean saml2;
	public String issueInstant;
	public String requestID;
		
	// SAML 2
	public String issuer;
	public String destination;
}

Default: None
JSON key is saml.response.script

Keystore

The keystore is configured in a JSON object called keystore within the service provider's JSON object.

Key or certificate configuration

JCE Provider

Name of JCE provider - if left blank, platform default is used. Can be set to e.g. Luna to support hardware crypto providers assuming Luna JCE provider is installed.

Default: None
JSON key is provider

Keystore type

Keystore type, usually PKCS12 or JKS

Default: PKCS12
JSON key is type

Filename

Name of file to load keystore from - note that some keystores, e.g. Luna does not have a file

Default: None
JSON key is file