SAML 2.0 module properties
You can define SAML 2.0 token module self or partner properties.
| Appliance property | Self or Partner | Mode | Description |
|---|---|---|---|
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.replay.validation |
SELF | Validate | Specifies whether to enable one-time assertion use enforcement. Set to
Set to
Note: If the assertion to be validated has
<saml:OneTimeUse></saml:OneTimeUse> in the assertion conditions, then the
one-time assertion use is enforced even though the property is disabled. |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.verify.signatures |
PARTNER | Validate | Specifies whether to enable signature validation. Set to
Set to |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.signature.use.keyinfo |
PARTNER | Validate | Specifies whether to use the KeyInfo of the XML signature to
find the X509 certificate for signature validation.Set to Set to |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.keystore.alias |
PARTNER | Validate | Specifies whether to use the keystore alias to find the public key for
signature validation. Set to Set to
|
|
com.tivoli.am.fim.sts.saml.2.0.
ValidateKeyIdentifier |
PARTNER | Validate | Specifies a regular expression to validate the subject distinguished
name returned in the KeyInfo, if
com.tivoli.am.fim.sts.saml.2.0. assertion.signature.use.keyinfo is set to
true. You can either specify this property or specify both of the following properties:
|
|
com.tivoli.am.fim.sts.saml.2.0.
ValidateKeyIdentifier.db |
PARTNER | Validate | Specifies the name of the certificate database to use for validation, if
com.tivoli.am.fim.sts.saml.2.0.assertion. keystore.alias is set to
true. |
|
com.tivoli.am.fim.sts.saml.2.0.
ValidateKeyIdentifier.cert |
PARTNER | Validate | Specifies the name of the certificate label for validation, if
com.tivoli.am.fim.sts.saml.2.0.assertion.keystore.alias is set to
true. |
|
com.tivoli.am.fim.sts.saml.2.0.
DecryptionKeyIdentifier.db |
PARTNER | Validation | Specifies the name of the keystore for the decryption key. For example, use DefaultKeyStore. |
|
com.tivoli.am.fim.sts.saml.2.0.
DecryptionKeyIdentifier.cert |
PARTNER | Validation | Specifies the name of decryption key. For example, use testkey. |
|
com.tivoli.am.fim.sts.saml.2.0.
WantMultipleAttributeStatements |
PARTNER | Validate | Specifies whether to create multiple attribute statements in the Universal
User. If you specify false, multiple attribute statements are arranged into a single group (AttributeList) in the STSUniversalUserdocument. This setting is appropriate for most configurations. |
|
com.tivoli.am.fim.sts.saml.2.0.
map.unknown.alias |
PARTNER | Validate | Specifies whether to map unknown name identifiers to the anonymous username. |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.default.nameidformat |
PARTNER | Validate | Specifies the default NameID format for assertion validation. Specify a
parameter for use during validation of a SAML assertion. The parameter determines processing rules
for the NameID element when one of the following conditions exists:
|
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.issuer |
SELF | Issue, Exchange | Specifies the name of the organization that issues assertions. This is required. |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.pretime.valid |
SELF | Issue, Exchange | Specifies the number of seconds that assertions are valid before its issue
date. There is no minimum or maximum value enforced, but a value is required. Default:
|
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.posttime.valid |
SELF | Issue, Exchange | Specifies the number of seconds that assertions are valid after its issue
date. There is no minimum or maximum value enforced, but a value is required. Default:
|
| SAML2.IncludeInclusiveNamespaces | PARTNER | Issue, Exchange | Specifies whether to use the InclusiveNamespaces construct. This means using
exclusive XML canonicalization for greater standardization. You must set this parameter without a
prefix. Set to true or false. If unset, the system behaves as if it was set to true. |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.attribute.types |
PARTNER | Issue, Exchange | Specifies the types of attributes to include in the assertion. The default,
an asterisk ( To specify one or more attribute types individually, enter each attribute type. Separate multiple type values using |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.sign |
PARTNER | Issue, Exchange | Specifies whether SAML assertions must be signed. Set to
Set to |
|
com.tivoli.am.fim.sts.saml.2.0.
SigningKeyIdentifier.db |
PARTNER | Issue, Exchange | Specifies the name of the keystore where the signing key is stored. For example, use DefaultKeyStore. |
|
com.tivoli.am.fim.sts.saml.2.0.
signingKeyIdentifier.cert |
PARTNER | Issue, Exchange | Specifies the name of the signing key identifier. For example, use testkey. |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.signature.include. subject.keyid |
PARTNER | Issue, Exchange | Specifies whether to include the subject key identifier with your signature.
Set to Set to
|
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.signature.include. public.key |
PARTNER | Issue, Exchange | Specifies whether to include the public key with your signature. Set to
Set to |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.signature.include. issuer.details |
PARTNER | Issue, Exchange | Specifies whether to include the issuer details with your signature. Set to
Set to |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.signature.include. subject.name |
PARTNER | Issue, Exchange | Specifies whether to include the subject name with your signature. Set to
Set to |
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.signature.include. cert.data |
PARTNER | Issue, Exchange | Specifies whether to include the certificate data with your
signature. Set to Set to
If none of the assertion.signature.include.* properties are set, the system behaves as if com.tivoli.am.fim.sts.saml.2.0.assertion.signature.include.cert.data is set to true. |
|
com.tivoli.am.fim.sts.saml.2.0.
SignatureAlgorithm |
PARTNER | Issue, Exchange | Specifies the signature algorithm to use for signing assertions. Valid values:
|
|
com.tivoli.am.fim.sts.saml.2.0.
DigestAlgorithm |
PARTNER | Issue, Exchange | Specifies the digest algorithm used to sign SAML messages. Valid values:
|
|
com.tivoli.am.fim.sts.saml.2.0.
EncryptAssertions |
PARTNER | Issue, Exchange | Specifies whether assertions are to be encrypted. Set to
Set to |
|
com.tivoli.am.fim.sts.saml.2.0.
EncryptionKeyIdentifier.db |
PARTNER | Issue, Exchange | Specifies the name of the keystore where the encryption key is stored. For example, use DefaultKeyStore. |
|
com.tivoli.am.fim.sts.saml.2.0.
EncryptionKeyIdentifier.cert |
PARTNER | Issue, Exchange | Specifies the name of the encryption key. For example, use testkey. |
|
com.tivoli.am.fim.sts.saml.2.0.
EncryptAllAttributes |
PARTNER | Issue, Exchange | Specifies whether all Attribute elements within
the assertions are to be encrypted. Set to Set to
|
|
com.tivoli.am.fim.sts.saml.2.0.
EncryptNameIdentifiers |
PARTNER | Issue, Exchange | Specifies whether NameID elements in the
assertions are to be encrypted. Set to Set to
|
|
com.tivoli.am.fim.sts.saml.2.0.
BlockEncryptionAlgorithm |
PARTNER | Issue, Exchange | Specifies the block encryption algorithm.
|
|
com.tivoli.am.fim.sts.saml.2.0.
EncryptionKeyTransportAlgorithm |
PARTNER | Issue, Exchange | Specifies the key transport algorithm used to encrypt SAML messages.
Valid values are:
|
|
com.tivoli.am.fim.sts.saml.2.0.
assertion.SubjectConfirmationMethod |
PARTNER | Issue, Exchange | Specifies the subject confirmation method. Valid values:
|