JBoss Community Archive (Read Only)

PicketLink

SAML2AuthenticationHandler

Objective

Handler handles the SAML request at the IDP and the SAML response at the SP.

Fully Qualified Name

org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler

Configuration

Should be configured in WEB-INF/picketlink-handlers.xml

Example:

WEB-INF/picketlink-handlers.xml
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:1.0">
  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler"/>
  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler"/>
  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler"/>
  <Handler class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
</Handlers>

Configuration Parameters

#

Name

Type

Objective

SP/IDP

Since Version

1

CLOCK_SKEW_MILIS

string

a long value in miliseconds to add a clock skew to assertion expiration validation at the Service provider

SP

2.0

2

DISABLE_AUTHN_STATEMENT

boolean

Setting a value will disable the generation of an AuthnStatement

IDP

2.0

3

DISABLE_SENDING_ROLES

boolean

Setting any value will disable the generation and return of roles to SP

IDP

2.0

4

DISABLE_ROLE_PICKING

boolean

Setting to true will disable picking IDP attribute statements

SP

2.0

5

ROLE_KEY

String

a csv list of strings that represent the roles coming from IDP

SP

2.0

6

ASSERTION_CONSUMER_URL

String

the url to be used for assertionConsumerURL

SP

2.0

7

NAMEID_FORMAT

String

Setting to a value will provide the nameid format to be sent to IDP

SP

2.0

8

ASSERTION_SESSION_ATTRIBUTE_NAME

String

Specifies the name of the session attribute where the assertion will be stored. The assertion is stored as a DOM Document.
This option is useful when you need to obtain the user's assertion to propagate or validate it against the STS.

SP

2.1.7

9

SINGLE_ATTRIBUTE_STATEMENT

boolean

Specifies that a single attribute statement must be used when creating the assertion. By default, IdP creates two statements: one with roles and another with
user-defined attributes. If this option is set to true, the IdP will merge all attributes in a single statement.

IDP

2.7.0.CR1

Example:

WEB-INF/picketlink-handlers.xml
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
<Option Key="DISABLE_ROLE_PICKING" Value="true"/>
</Handler>

NAMEID_FORMAT:

The transient and persistent nameid-formats are used to obfuscate the actual identity in order to make linking activities extremely difficult between different SPs being served by the same IDP. A transient policy only lasts for the duration of the login session, where a persistent policy will reuse the obfuscated identity across multiple login sessions.

The Value can either be one of the following "official" values or a vendor-specific value supported by the IDP. Any string value is passed through to the NameIDPolicy's Format attribute as-is in an AuthnRequest.

urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-11 12:17:59 UTC, last content change 2014-10-07 12:47:24 UTC.