SAML Web Inbound TAI Custom Properties
The SAML Web Inbound Trust Association Interceptor (TAI) custom properties are used to determine the behavior of the Web inbound TAI, and to process the SAML token that is received in the inbound web request.
The following tables list the custom properties for the SAML Web inbound TAI. You can define these properties in the Custom Properties panel for the SAML Web inbound TAI using the administrative console.
The SAML Web inbound TAI supports multiple providers. To configure more than one provider, add a
prefix to each custom property with provider_<id>
, such as
provider_1.headerName
. When multiple providers are configured, custom properties
that have no prefix are ignored.
The properties are grouped into two categories:
- Required Properties: Without these properties defined, the SAML Web inbound TAI does not initialize.
- Optional Properties: These properties default to the value as documented. They are used to fine-tune the behavior of SAML Web inbound TAI.
Required Properties
Property Name | Values | Description |
---|---|---|
headerName |
You can specify any string value. This property does not have a default value. headerName or propertyName must be specified. |
This property specifies a list of header names in the inbound request that the TAI looks for
to extract the SAML token. You can specify a single header name or multiple header names that are
separated by a comma or vertical bar
character. Example:
If both |
parameterName |
You can specify any string value. This property does not have a default value. propertyName or headerName must be specified. |
This property specifies a list of parameter names in the inbound request that the TAI looks
for to extract the SAML token. You can specify a single parameter name or multiple parameter names
that are separated by a comma or vertical bar
character. Example:
If both
|
Optional Properties
Property Name | Values | Description |
---|---|---|
setLtpaCookie | You can specify one of the following values:
|
This property specifies whether the SAML Web inbound TAI must set the LTPA token in the response. By default, the TAI does not set the LTPA cookie in the response. |
signatureAlgorithm | You can specify one of the following values:
|
This property specifies the algorithm that is used to sign the SAML token. If this property specifies SHA256, then the SAML token in the request must be signed with the SHA256 signature algorithm, or the request is rejected. |
clockSkew | You can specify any positive number. The default is 3 minutes. | This property specifies the allowed clock skew in milliseconds when validating the SAML token. |
userIdentifier | By default, this property is set to the value of the NameID attribute of the
SAML Subject. |
This property specifies the name of the SAML attribute whose value is used as the user
ID. Example:
|
mapIdentityToRegistryUser | You can specify one of the following values:
|
When this property is set to false, the WebSphere® subject is populated with the user and groups that are specified in the
SAML assertion. When the property is set to true, the SAML Web inbound TAI maps the user from the SAML token to the same user in the WebSphere user registry. This requires that all users be maintained in the WebSphere user registry. |
groupIdentifier | You can specify any string value. This property does not have a default value. | This property specifies the name of the SAML attribute whose values are included as group members in the subject. |
realmIdentifier | By default, this property is set to the SAML Issuer name. | This property specifies the name of the SAML attribute whose value is used as the subject realm. If this property is not specified, the SAML issuer name is used as the realm name. |
realmName | You can specify any string value. This property does not have a default value. | This property specifies the realm name to be used for the SAML assertion. If both the
realmIdentifier and realmName properties are specified, the
realmName property overrides the value of realmIdentifier . |
filter | For information about defining this property, see SAML TAI filter property. Table 4 details the filter property operators. | This property is used to specify a condition that is checked against the web request to determine whether the request is selected to be processed by the SAML web inbound TAI. |
audiences | You can specify comma-separated list of URI values here. This property does not have a default value. | This property specifies a list of allowed audience URIs that is compared against the list of
audience URIs specified by the <AudienceRestriction> element in the SAML
assertion. The SAML token validation fails if none of the URIs from this list exists in the SAML
assertion.Example:
|
trustStore | This property does not have a default value. | This property specifies the truststore for validating the SAML signature. It specifies the name of a managed keystore. |
keyStore | This property does not have a default value. | This property specifies the name of the managed keystore that contains the private key for decrypting an encrypted SAML assertion. |