SAML 1.1 module properties

Edit online

You can define SAML 1.1 token module self or partner properties.

Table 1. SAML 1.1 module properties
Appliance property Self or Partner Mode Description

com.tivoli.am.fim.sts.saml.1.1.
assertion.replay.validation

 SELF Validate Specifies whether to enable one-time assertion use enforcement.

Set to true to enable one-time use enforcement.

Set to false if you do not want to enforce one-time assertion use.

com.tivoli.am.fim.sts.saml.1.1.
assertion.verify.signatures

 PARTNER Validate Specifies whether to enable signature validation.

Set to true to enable validation.

Set to false if you do not want validation enabled.

com.tivoli.am.fim.sts.saml.1.1.
assertion.signature.use.keyinfo

 PARTNER Validate Specifies whether to use the KeyInfo of the XML signature to find the X.509 certificate for signature validation.

Set to true to use this method. Then, define the com.tivoli.am.fim.sts.saml.1.1. ValidateKeyIdentifier.keyinfo property.

Set to false, otherwise.

com.tivoli.am.fim.sts.saml.1.1.
ValidateKeyIdentifier.keyinfo

 PARTNER Validate Specifies a regular expression to validate the subject distinguished name returned in the KeyInfo, if com.tivoli.am.fim.sts.saml.1.1. assertion.signature.use.keyinfois set to true.

You can either specify this property or specify both of the following properties:

  • com.tivoli.am.fim.sts.saml.1.1. ValidateKeyIdentifier.db
  • com.tivoli.am.fim.sts.saml.1.1. ValidateKeyIdentifier.cert
If you specify all of these properties, the keystore alias format overwrites the com.tivoli.am.fim.sts.saml.1.1. ValidateKeyIdentifier.keyinfo property.

com.tivoli.am.fim.sts.saml.1.1.
ValidateKeyIdentifier.db

 PARTNER Validate Specifies the name of the certificate database to use for validation, if com.tivoli.am.fim.sts.saml.1.1. assertion.keystore.alias is set to true.

com.tivoli.am.fim.sts.saml.1.1.
ValidateKeyIdentifier.cert

 PARTNER Validate Specifies the name of the certificate label for validation, if com.tivoli.am.fim.sts.saml.1.1. assertion.keystore.alias is set to true.

com.tivoli.am.fim.sts.saml.1.1.
WantMultipleAttributeStatements

 PARTNER Validate Specifies whether to create multiple attribute statements in the Universal User.

If you specify false, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUserdocument. This setting is appropriate for most configurations.

com.tivoli.am.fim.sts.saml.1.1.
assertion.issuer

 SELF Issue, Exchange Specifies the name of the organization that issues assertions. This is required.

com.tivoli.am.fim.sts.saml.1.1.
assertion.pretime.valid

 SELF Issue, Exchange Specifies the number of seconds that assertions are valid before its issue date. There is no minimum or maximum value enforced, but a value is required.

Default: 60

com.tivoli.am.fim.sts.saml.1.1.

assertion.posttime.valid

 SELF Issue, Exchange Specifies the number of seconds that assertions are valid after its issue date. There is no minimum or maximum value enforced, but a value is required.

Default: 60
com.tivoli.am.fim.sts.saml.1.1. assertion.signature.use. inclusive.namespaces PARTNER Issue, Exchange Specifies whether to use the InclusiveNamespaces construct. This means using exclusive XML canonicalization for greater standardization. You must set this parameter without a prefix.

Set to true or false.

If unset, the system behaves as if it was set to true.

com.tivoli.am.fim.sts.saml.1.1.

assertion.attribute.types

 PARTNER Issue, Exchange Specifies the types of attributes to include in the assertion.

The default, an asterisk (*), includes all the attribute types that are specified in the identity mapping file.

To specify one or more attribute types individually, enter each attribute type.

Separate multiple type values using &&.

com.tivoli.am.fim.sts.saml.1.1.
assertion.sign

 PARTNER Issue, Exchange Specifies whether SAML assertions must be signed.

Set to true to sign assertions.

Set to false if signing is not required.

com.tivoli.am.fim.sts.saml.1.1.
SigningKeyIdentifier.db

 PARTNER Issue, Exchange Specifies the name of the keystore where the signing key is stored. For example, use DefaultKeyStore.

com.tivoli.am.fim.sts.saml.1.1.
signingKeyIdentifier.cert

 PARTNER Issue, Exchange Specifies the name of the signing key identifier. For example, use testkey.

com.tivoli.am.fim.sts.saml.1.1.
assertion.signature.include.
subject.keyid

 PARTNER Issue, Exchange Specifies whether to include the subject key identifier with your signature.

Set to true to include the subject key identifier.

Set to false to exclude the subject key identifier.

com.tivoli.am.fim.sts.saml.1.1.
assertion.signature.include.
public.key

 PARTNER Issue, Exchange Specifies whether to include the public key with your signature.

Set to Yes to include the public key.

Set to No to exclude the public key.

com.tivoli.am.fim.sts.saml.1.1.
assertion.signature.include.
issuer.details

 PARTNER Issue, Exchange Specifies whether to include the issuer details with your signature.

Set to Yes to include the issuer details.

Set to No to exclude the issuer details.

com.tivoli.am.fim.sts.saml.1.1.
assertion.signature.include.
subject.name

 PARTNER Issue, Exchange Specifies whether to include the subject name with your signature.

Set to Yes to include the subject name.

Set to No to exclude the subject name.

com.tivoli.am.fim.sts.saml.1.1.
assertion.signature.include.
cert.data

 PARTNER Issue, Exchange Specifies whether to include the certificate data with your signature.

Set to Yes to include the certificate data.

Set to No to exclude the certificate data.

If none of the assertion.signature.include.* properties are set, the system behaves as if com.tivoli.am.fim.sts.saml.1.1. assertion.signature.include.cert.data is set to true.

com.tivoli.am.fim.sts.saml.1.1.
SignatureAlgorithm

 PARTNER Issue, Exchange Specifies the signature algorithm to use for signing assertions. Valid values:
  • RSA-SHA1, set to http://w ww.w3.org/2000/09/xmldsig#rsa-sha1
  • RSA-SHA256, set to http:// www.w3.org/2001/04/xmldsig-more#rsa-sha256
  • RSA-SHA512, set to http:// www.w3.org/2001/04/xmldsig-more#rsa-sha512

com.tivoli.am.fim.sts.saml.1.1.
assertion.SubjectConfirmationMethod

 PARTNER Issue, Exchange Specifies the subject confirmation method. Valid values:
  • No Subject Confirmation Method
  • urn:oasis:names:tc:SAML:1.1:cm:bearer
  • urn:oasis:names:tc:SAML:1.1:cm:holder-of-key
  • urn:oasis:names:tc:SAML:1.1:cm:sender-vouches