SAML Web Inbound TAI Custom Properties

The SAML Web Inbound Trust Association Interceptor (TAI) custom properties are used to determine the behavior of the Web inbound TAI, and to process the SAML token that is received in the inbound web request.

The following tables list the custom properties for the SAML Web inbound TAI. You can define these properties in the Custom Properties panel for the SAML Web inbound TAI using the administrative console.

The SAML Web inbound TAI supports multiple providers. To configure more than one provider, add a prefix to each custom property with provider_<id>, such as provider_1.headerName. When multiple providers are configured, custom properties that have no prefix are ignored.

The properties are grouped into two categories:

  • Required Properties: Without these properties defined, the SAML Web inbound TAI does not initialize.
  • Optional Properties: These properties default to the value as documented. They are used to fine-tune the behavior of SAML Web inbound TAI.

Required Properties

Table 1. SAML Web Inbound TAI Required Properties
Property Name Values Description
headerName

You can specify any string value. This property does not have a default value.

headerName or propertyName must be specified.

 This property specifies a list of header names in the inbound request that the TAI looks for to extract the SAML token. You can specify a single header name or multiple header names that are separated by a comma or vertical bar character.

Example:

headerName=saml_token

headerName=header one, header two

headerName=saml1 token|saml2 token|saml3_token

If both headerName andparameterName are specified, all applicable headers are checked for a SAML token before the parameters.

parameterName

You can specify any string value. This property does not have a default value.

propertyName or headerName must be specified.

 This property specifies a list of parameter names in the inbound request that the TAI looks for to extract the SAML token. You can specify a single parameter name or multiple parameter names that are separated by a comma or vertical bar character.

Example:

parameterName=saml_token

parameterName=param one, param two

parameterName=saml1 token|saml2 token|saml3_token

If both headerName andparameterName are specified, all applicable headers are checked for a SAML token before the parameters.

Optional Properties

Table 2. SAML Web Inbound TAI Optional Properties
Property Name Values Description
setLtpaCookie You can specify one of the following values:
  • true
  • false (Default)
 This property specifies whether the SAML Web inbound TAI must set the LTPA token in the response. By default, the TAI does not set the LTPA cookie in the response.
signatureAlgorithm You can specify one of the following values:
  • SHA128 (Default)
  • SHA256
 This property specifies the algorithm that is used to sign the SAML token. If this property specifies SHA256, then the SAML token in the request must be signed with the SHA256 signature algorithm, or the request is rejected.
clockSkew You can specify any positive number. The default is 3 minutes. This property specifies the allowed clock skew in milliseconds when validating the SAML token.
userIdentifier By default, this property is set to the value of the NameID attribute of the SAML Subject. This property specifies the name of the SAML attribute whose value is used as the user ID.

Example:

userIdentifier=RunAsUser
mapIdentityToRegistryUser You can specify one of the following values:
  • true
  • false (Default)
 When this property is set to false, the WebSphere® subject is populated with the user and groups that are specified in the SAML assertion.

When the property is set to true, the SAML Web inbound TAI maps the user from the SAML token to the same user in the WebSphere user registry. This requires that all users be maintained in the WebSphere user registry.
groupIdentifier You can specify any string value. This property does not have a default value. This property specifies the name of the SAML attribute whose values are included as group members in the subject.
realmIdentifier By default, this property is set to the SAML Issuer name. This property specifies the name of the SAML attribute whose value is used as the subject realm. If this property is not specified, the SAML issuer name is used as the realm name.
realmName You can specify any string value. This property does not have a default value. This property specifies the realm name to be used for the SAML assertion. If both the realmIdentifier and realmName properties are specified, the realmName property overrides the value of realmIdentifier.
filter For information about defining this property, see SAML TAI filter property. Table 4 details the filter property operators. This property is used to specify a condition that is checked against the web request to determine whether the request is selected to be processed by the SAML web inbound TAI.
audiences You can specify comma-separated list of URI values here. This property does not have a default value. This property specifies a list of allowed audience URIs that is compared against the list of audience URIs specified by the <AudienceRestriction> element in the SAML assertion. The SAML token validation fails if none of the URIs from this list exists in the SAML assertion.

Example:

filter="request-url%=helloworld"
trustStore This property does not have a default value. This property specifies the truststore for validating the SAML signature. It specifies the name of a managed keystore.
keyStore This property does not have a default value. This property specifies the name of the managed keystore that contains the private key for decrypting an encrypted SAML assertion.