14.5.7.7.4. Configuration Parameters
|
#
|
Name
|
Type
|
Objective
|
SP/IDP
|
Since Version
|
|---|---|---|---|---|---|
|
1
|
CLOCK_ SKEW_ MILIS
|
string
|
a long value in miliseconds to add a clock skew to assertion expiration validation at the Service provider
|
SP
|
2.0
|
|
2
|
DISABLE_ AUTHN_ STATEMENT
|
boolean
|
Setting a value will disable the generation of an AuthnStatement
|
IDP
|
2.0
|
|
3
|
DISABLE_ SENDING_ ROLES
|
boolean
|
Setting any value will disable the generation and return of roles to SP
|
IDP
|
2.0
|
|
4
|
DISABLE_ ROLE_ PICKING
|
boolean
|
Setting to true will disable picking IDP attribute statements
|
SP
|
2.0
|
|
5
|
ROLE_ KEY
|
String
|
a csv list of strings that represent the roles coming from IDP
|
SP
|
2.0
|
|
6
|
ASSERTION_ CONSUMER_ URL
|
String
|
the url to be used for assertionConsumerURL
|
SP
|
2.0
|
|
7
|
NAMEID_ FORMAT
|
String
|
Setting to a value will provide the nameid format to be sent to IDP
|
SP
|
2.0
|
|
8
|
ASSERTION_ SESSION_ ATTRIBUTE_ NAME
|
String
|
Specifies the name of the session attribute where the assertion will be stored. The assertion is stored as a DOM Document. This option is useful when you need to obtain the user's assertion to propagate or validate it against the STS.
|
SP
|
2.1.7
|
|
9
|
AUTHN_CONTEXT_CLASSES
|
String
|
Specifies a single or a comma separated list of SAML Authentication Classes to be used when creating an AuthnRequest. The value can be a full qualified name (FQN) or an alias. For each standard class name there is an alias, as defined by the
org.picketlink.common.constants.SAMLAuthenticationContextClass.
|
SP
|
2.5.0
|
|
9
|
REQUESTED_AUTHN_CONTEXT_COMPARISON
|
String
|
Specifies the Comparison attribute of the RequestedAuthnContext. This option should be used in conjunction with the AUTHN_CONTEXT_CLASSES option. Only the values defined by the specification are supported.
|
SP
|
2.5.0
|
14.5.7.7.4.1. Example:
Example 14.11. WEB-INF/picketlink-handlers.xml
<Handler class="org.picketlink.identity.
federation.web.
handlers.saml2.SAML2AuthenticationHandler">
<Option Key="DISABLE_ROLE_PICKING" Value="true"/>
</Handler>
14.5.7.7.4.2. NAMEID_FORMAT:
The transient and persistent nameid-formats are used to obfuscate the actual identity in order to make linking activities extremely difficult between different SPs being served by the same IDP. A transient policy only lasts for the duration of the login session, where a persistent policy will reuse the obfuscated identity across multiple login sessions.
The Value can either be one of the following "official" values or a vendor-specific value supported by the IDP. Any string value is passed through to the NameIDPolicy's Format attribute as-is in an AuthnRequest.
urn:oasis:names:tc:SAML:2.0:nameid-format: transient urn:oasis:names:tc:SAML:2.0:nameid-format: persistent urn:oasis:names:tc:SAML:1.1:nameid-format: unspecified urn:oasis:names:tc:SAML:1.1:nameid-format: emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format: X509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format: WindowsDomainQualifiedName urn:oasis:names:tc:SAML:2.0:nameid-format: kerberos urn:oasis:names:tc:SAML:2.0:nameid-format: entity