Skip to end of metadata
Go to start of metadata

Objective

Handler handles the SAML request at the IDP and the SAML response at the SP.

Fully Qualified Name

org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler

Configuration

Should be configured in WEB-INF/picketlink-handlers.xml

Example:
WEB-INF/picketlink-handlers.xml

Configuration Parameters

#
Name
Type
Objective
SP/IDP
Since Version
1
CLOCK_SKEW_MILIS string
a long value in miliseconds to add a clock skew to assertion expiration validation at the Service provider
SP
2.0
2
DISABLE_AUTHN_STATEMENT boolean
Setting a value will disable the generation of an AuthnStatement IDP
2.0
3
DISABLE_SENDING_ROLES boolean
Setting any value will disable the generation and return of roles to SP IDP
2.0
4
DISABLE_ROLE_PICKING boolean
Setting to true will disable picking IDP attribute statements SP
2.0
5
ROLE_KEY String
a csv list of strings that represent the roles coming from IDP SP
2.0
6
ASSERTION_CONSUMER_URL String
the url to be used for assertionConsumerURL SP
2.0
7
NAMEID_FORMAT String
Setting to a value will provide the nameid format to be sent to IDP SP
2.0
8 ASSERTION_SESSION_ATTRIBUTE_NAME
String Specifies the name of the session attribute where the assertion will be stored. The assertion is stored as a DOM Document.
This option is useful when you need to obtain the user's assertion to propagate or validate it against the STS.
SP 2.1.7
9 SINGLE_ATTRIBUTE_STATEMENT
boolean Specifies that a single attribute statement must be used when creating the assertion. By default, IdP creates two statements: one with roles and another with
user-defined attributes. If this option is set to true, the IdP will merge all attributes in a single statement.
IDP
2.7.0.CR1
Example:
WEB-INF/picketlink-handlers.xml
NAMEID_FORMAT:

The transient and persistent nameid-formats are used to obfuscate the actual identity in order to make linking activities extremely difficult between different SPs being served by the same IDP. A transient policy only lasts for the duration of the login session, where a persistent policy will reuse the obfuscated identity across multiple login sessions.

The Value can either be one of the following "official" values or a vendor-specific value supported by the IDP. Any string value is passed through to the NameIDPolicy's Format attribute as-is in an AuthnRequest.

urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.