SecurityToken Service Configuration (PicketLinkSTS Element)
To issue/renew/cancel/validate SAML tokens, the IDP relies on the PicketLink STS API and configuration. This configurations define how the tokens should be used by the IDP.
This PicketLinkSTS element defines the basic configuration for the Security Token Service. The table bellow provides more information about the attributes supported by this element:
|
Name |
Description |
Value |
|
STSName |
Name for this STS configuration. |
Name for this Security Token Service. |
|
TokenTimeout |
Defines the token timeout in miliseconds. |
Defaults to 3600 miliseconds. |
|
ClockSkew |
Defines the clock skew, or timing skew, for the token timeout. |
Defaults to 2000 miliseconds. |
|
SignToken |
Indicates if the tokens should be signed. |
Values: true|false. Defaults to false. |
|
EncryptToken |
Indicates if the tokens should be encrypted. |
Values: true|false. Defaults to false. |
|
CanonicalizationMethod |
Sets the canonicalization method. |
Defaults to http://www.w3.org/2001/10/xml-exc-c14n#WithComments |
Security Token Providers (TokenProviders/TokenProvider elements)
The PicketLink STS defines the concept of Security Token Providers. This tokens providers are implementations of the interface org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider.
The purpose of providers is to plug any implementation for a specific token type. PicketLink provides default implementations for the following token type:
-
SAML v2.0: org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider
-
WS-Trust : org.picketlink.identity.federation.core.wstrust.plugins.saml.SAML20TokenProvider
Each provider is linked to a specific TokenType and TokenElementNS, both attributes of the TokenProvider element.
You can always provide your own implementation for a specific TokenType or customize the behaviour for one of the built-in providers.