Excluding elements from a WS-FED Request Security Token Response
The default configuration of a Verify Identity Access WS-Federation federation specifies a list of elements to exclude from the WS-Federation request security token response (RSTR). This default configuration enables WS-Federation single sign-on to work in the majority of scenarios, such as single sign-on to a Verify Identity Access appliance, and single sign-on to a Microsoft SharePoint deployment.
The custom property wsfed.idp.rstr.excluded.elements is used to exclude a
comma-separated list of elements. The elements that are excluded by default are "Forwardable",
"Delegatable", "Status", and "Renewing". The LMI displays the default custom property
wsfed.idp.rstr.excluded.elements with the following value:
default=Forwardable,Delegatable,Status,RenewingCertain applications require a different set of excluded elements. For these cases, you can use the Verify Identity Access Advanced Configuration feature to set a custom property to specify the set of elements. You must specify the federation realm for which your set applies. Optionally, you can also set elements of a per-partner basis for the federation.
You can use the following syntax to specify elements are needed:
default=<comma_separated_list_of_elements>:<federation_realm>=<comma_separated_list_of_elements>:
<federation_realm>%<partner_realm>=<comma_separated_list_of_elements>For example, if a federation requires that the only excluded elements are
Forwardable and Delegatable, you can modify the custom property.
For this example, to modify the custom property for a federation fed1 with a realm
fed1-REALM, set the custom property as follows:
default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,DelegatableYou can also modify the custom property to allow for requirements specific to a federation partner.
For example, if federation fed1 from the example above has a partner
partner1 with a realm of partner1-REALM, and this partner allows
only the Status element to be excluded, you can set the custom property
wsfed.idp.rstr.excluded.elements as follows:
default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,Delegatable:
fed1-REALM%partner1-REALM=StatusFor information on how to use the LMI Advanced Configuration menu to set custom properties, see Managing advanced configuration.