SAML 1.1 module

The SAML 1.1 module validates and issues SAML 1.1 tokens.

The SAML 1.1 module is called Saml11STSTokenModule.

Security Assertion Markup Language 1.1 (SAML 1.1) is a version of the SAML standard for exchanging authentication and authorization data between security domains. SAML 1.1 enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.

Scenarios

Single sign-on federations
Custom trust chains

Supported modes

Validate
Issue
Exchange

Configuration properties

Validate mode

Enable one-time assertion use enforcement

Specifies whether to use the assertion or token only once.

Enable signature validation

Enables or disables validation of signatures in the token module.

Select a validation key

Specifies the validation key that the partner must use.

Use the KeyInfo of the XML signature to find the X509 certificate for signature validation

Determines the appropriate certificate for signature validation. When you select this option, you must provide the subject distinguished name that matches the certificate.

RegExp: Specifies a regular expression to validate the subject distinguished name returned in theKeyInfo.

Use the keystore alias to find the public key for signature validation

Specifies a public key for signature validation, which is the default. Select the certificate database and label.

Certificate Database: Select the certificate database to use for validation.
Certificate Label: Select the certificate label for validation.

Create multiple attribute statements in the Universal User

Specifies whether to keep multiple attribute statements in the groups in which they were received. This option might be necessary if your custom identity mapping rules are written to operate on one or more specific groups of attribute statements.

If you do not select this check box, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUser document. The default setting of the check box is not selected. This setting is appropriate for most configurations.

Issue and Exchange mode

Name of the organization issuing the assertions

Shows a string that specifies the name of the organization (for example, a company) that issues the SAML assertions.

Amount of time before the issue date that an assertion is considered valid (seconds)

Default: 60 seconds

There is no minimum or maximum value enforced.

This field must contain a value.

Amount of time that the assertion is valid after being issued (seconds)

Default: 60 seconds

There is no minimum or maximum value enforced.

This field must contain a value.

List the attribute types to include

Specifies the types of attributes to be inserted during token creation. The attributes consist of information about the identity (user). Use && to separate attribute types. By default, all types are supported, as indicated by the asterisk (*) wildcard character.

For example, to add user-defined attribute types type1 and type2, enter:

type1&&type2

Sign SAML assertions

Select if SAML assertions must be signed.

Select the key for signing assertions

Specifies the key to use when signing SAML assertions.

Certificate Database

Select the certificate database to use for validation.

Certificate Label

Select the certificate label for validation.

Select the KeyInfo elements to include

Determines what KeyInfo elements to include in the digital signature when signing a SAML message or assertion. Select one or more of the following elements.

X509 Subject Key Identifier: Select to include the X.509 subject key identifier with your signature. If not selected, the subject key identifier is excluded. To change the default for this element, change it in the custom properties.
Public Key: Select to include the public key with your signature. If not selected, the public key is excluded. To change the default for this element, change it in the custom properties.
X509 Subject Issuer Details: Select to include the issuer name and the certificate serial number with your signature. If not selected, the subject issuer details are excluded. To change the default for this element, change it in the custom properties.
X509 Subject Name: Select to include the X.509 subject name with your signature. If not selected, the X.509 data is excluded. To change the default for this element, change it in the custom properties.
X509 Certificate Data: Select to include the BASE64 encoded certificate data with your signature. If not selected, the X.509 data is excluded. To change the default for this element, change it in the custom properties.

Use Inclusive Namespaces

Specifies whether to use the InclusiveNamespaces construct, which means employing exclusive XML canonicalization for greater standardization. The default is cleared.

Note: If you do not select any of the KeyInfo elements, X.509 certificate data is still included in the signature by default.

Signature algorithm for signing SAML assertions

Specifies the signature algorithm to use to sign the SAML assertion.

RSA-SHA1: http://www.w3.org/2000/09/xmldsig#rsa-sha1
DSA-SHA1: http://www.w3.org/2000/09/xmldsig#dsa-sha1
RSA-SHA256: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

Note: The chosen signature algorithm must match the signing key type that was set in the federation level to prevent a signature failure. For example, select DSA-SHA1 for DSA keys.

Subject confirmation method

Specifies the subject confirmation method for the assertion. You can select one confirmation method, or choose No Subject Confirmation Method. If you select the holder-of-key type, the default includes the X.509 Certificate Data in the KeyInfo for the SubjectConfirmationMethod. STSUniversalUser can provide the data for the subject confirmation method KeyInfo. The data can also be extracted from the signed request data.

Valid values can be:

No Subject Confirmation Method
urn:oasis:names:tc:SAML:1.0:bearer
urn:oasis:names:tc:SAML:1.0:holder-of-key
urn:oasis:names:tc:SAML:1.0:sender-vouches

You can use the identity mapping rules to add subject confirmation information to the STSUniversalUser.

<stsuuser:Attribute name="SamlSubjectConfirmationMethod" 
 type="urn:oasis:names:tc:SAML:1.0:assertion">
  <stsuuser:Value>urn:oasis:names:tc:SAML:1.0:cm:bearer
   </stsuuser:Value>
  <stsuuser:Value>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
   </stsuuser:Value>
 </stsuuser:Attribute>

Another way to add subject confirmation information is by using configuration properties. See the topic on SAML 1.1 module properties.

Note: The values set in the identity mapping rule take precedence over the settings in the configuration.

For the SubjectConfirmationMethod to be issued correctly, the client must sign the RequestSecurityToken request and include a KeyInfo used for the SCM when sending the RequestSecurityToken. To use the holder-of-key capability, the JavaScript mapping rules must be updated to insert the attribute into the STSUU.

For example:

<stsuuser:AttributeList> 
 <stsuuser:Attribute name="SamlSubjectConfirmationMethod" 
   type="urn:oasis:names:tc:SAML:1.0:assertion"> 
  <stsuuser:Value>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
  </stsuuser:Value> 
 </stsuuser:Attribute> 
</stsuuser:AttributeList>