SAML 2.0 Properties

This section contains an alphabetized reference of the SAML 2.0 metadata properties supported in the Perl Policy Management API.
casso10
This section contains an alphabetized reference of the SAML 2.0 metadata properties supported in the Perl Policy Management API.
The properties apply to one or more of the following SAML 2.0 objects:
  • SAML 2.0 affiliation.
    A SAML 2.0 affiliation is a set of entities that share a single federated namespace of unique Name IDs for principals.
  • SAML 2.0 authentication scheme and its associated Identity Provider definition.
    The Identity Provider creates SAML assertions for the Service Provider that configured the Identity Provider and its associated SAML 2.0 authentication scheme.
  • Service Provider.
    A Service Provider provides services (such as access to applications and other resources) to principals within a federation.
    A Service Provider uses a SAML 2. 0 authentication scheme to transparently validate a principal based on the information in a SAML assertion. The assertion is supplied by the Identity Provider associated with the authentication scheme.
Reference Notes
  • All property values are provided as strings.
  • Unless otherwise specified, properties have the following maximum lengths:
    • URIs and URLs must be less than 1,024 characters
    • All other strings must not exceed 255 characters
SAML_AFFILIATION
  • Required
    No
  • Default
    None
  • Description
    The SAML 2.0 affiliation to associate with this object.
    Service Providers share the Name ID properties across the affiliation. IdentityProviders share the user disambiguation properties across the affiliation.
    A Service Provider or Identity Provider can belong to only one SAML 2.0 affiliation.
    If a SAML affiliation is specified, the NAMEID properties (for example, SAML_SP_NAMEID_FORMAT) are not used.
    CA Single Sign-On
    uses the NAMEID information in the specified affiliation.
    An Identity Provider is assigned to an affiliation through its associated SAML 2.0 authentication scheme.
    For more information about SAML 2.0 affiliations, see the description of the CreateSAMLAffiliation method.
SAML_AUDIENCE
  • Required
    Yes
  • Default
    None
  • Description
    The URI of the expected audience for a Service Provider. The audience expected by the Service Provider must match the audience specified in the assertion.
    The audience might also be sent in an authentication request.
SAML_DESCRIPTION
  • Required
    No
  • Default
    None
  • Description
    A brief description of the affiliation, authentication scheme, or Service Provider object.
SAML_DISABLE_SIGNATURE_PROCESSING
  • Required
    No
  • Default
    0
  • Description
    Specifies whether to disable all signature validation, including signing.
    It may be useful to disable signature validation during the initial setup of a provider and during debugging. During normal runtime, this property should be set to 0 (signature processing enabled).
    Valid values: 0 (false) and 1 (true).
SAML_DSIG_ALGO
  • Required
    No
  • Default
    1
  • Description
    Specifies the XML Federation Signature algorithm with one of the following values:
    1 = RSAwithSHA1
    2 = RSAwithSHA256
SAML_DSIG_VERINFO_ISSUER_DN
  • Required
    With SAML 2.0 Authentication Schemes:
    Required only if SAML_DISABLE_SIGNATURE_PROCESSING is 0 and one or both of the following are 1:
    • SAML_SLO_REDIRECT_BINDING
    • SAML_ENABLE_SSO_POST_BINDING
    With Service Providers:
    Required only if SAML_DISABLE_SIGNATURE_PROCESSING is 0 and one or both of the following are 1:
    • SAML_SLO_REDIRECT_BINDING
    • SAML_SP_REQUIRE_SIGNED_AUTHNREQUESTS
  • Default
    None
  • Description
    If the certificate of the Service Provider is not provided inline, this value is used along with SAML_DSIG_VERINFO_SERIAL_NUMBER to locate the certificate in the key store.
SAML_DSIG_VERINFO_SERIAL_NUMBER
  • Required
    With SAML 2.0 Authentication Schemes:
    Required only if SAML_DISABLE_SIGNATURE_PROCESSING is 0 and one or both of the following are 1:
    • SAML_SLO_REDIRECT_BINDING
    • SAML_ENABLE_SSO_POST_BINDING
    With Service Providers:
    Required only if SAML_DISABLE_SIGNATURE_PROCESSING is 0 and one or both of the following are 1:
    • SAML_SLO_REDIRECT_BINDING
    • SAML_SP_REQUIRE_SIGNED_AUTHNREQUESTS
  • Default
    None
  • Description
    If the certificate of the Service Provider is not provided inline, this value is used along with SAML_DSIG_VERINFO_ISSUER_DN to locate the certificate in the key store.
SAML_ENABLE_SSO_ARTIFACT_BINDING
  • Required
    No
  • Default
    0
  • Description
    Specifies whether artifact binding is supported by the Service Provider and enabled by the Identity Provider.
    Valid values: 0 (false) and 1 (true).
SAML_ENABLE_SSO_POST_BINDING
  • Required
    No
  • Default
    0
  • Description
    Specifies whether HTTP POST binding is supported by the Service Provider and enabled by the Identity Provider.
    Valid values: 0 (false) and 1 (true).
    See also SAML_DSIG_VERINFO_ISSUER_DN and SAML_DSIG_VERINFO_SERIAL_NUMBER.
SAML_ENABLED
  • Required
    No
  • Default
    1
  • Description
    Specifies whether the Service Provider is activated.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_AD_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for AD directories.
    If user disambiguation is being performed on a user in an AD directory, but no AD search specification has been provided for this property, the default search specification defined on the
    CA Single Sign-On
    User Directory Properties dialog is used.
    Assigning a search specification to this property is recommended for the following reasons:
    • When using the default search specification, the Policy Server might duplicate login ID prefixes and suffixes that are already present in the ID extracted from the assertion.
    • If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
    When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
SAML_IDP_ARTIFACT_RESOLUTION_DEFAULT_SERVICE
  • Required
    Yes, if SAML_ENABLE_SSO_ARTIFACT_BINDING is 1
  • Default
    None
  • Description
    A URL specifying the default artifact resolution service for the Identity Provider.
SAML_IDP_BACKCHANNEL_AUTH_TYPE
  • Required
    No
  • Default
    0
  • Description
    Specifies the type of authentication to use on the back channel. Valid values:
    • 0. Basic - Uses the specified Service Provider Name and password for authentication.
    • 1. Client Cert - Uses the specified Service Provider ID and password to look up the certificate in the keystore.
    • 2. No Auth - No authentication is required.
SAML_IDP_CUSTOM_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for custom user directories. If user disambiguation is being performed on a user in a custom directory, but no search specification is provided, the default search specification defined on the User Directory Properties dialog is used.
    When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
    If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
SAML_IDP_LDAP_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for LDAP directories.
    If user disambiguation is being performed on a user in an LDAP directory, but no search specification has been provided for this property, the default search specification defined on the User Directory Properties dialog is used.
    Assigning a search specification to this property is recommended for the following reasons:
    • When using the default search specification, the Policy Server might duplicate login ID prefixes and suffixes that are already present in the ID extracted from the assertion.
    • If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
    When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
SAML_IDP_ODBC_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for ODBC directories.
    If user disambiguation is being performed on a user in an ODBC directory, but no ODBC search specification has been provided for this property, the default search specification defined on the User Directory Properties dialog is used.
    Assigning a search specification to this property is recommended for the following reasons:
    • When using the default search specification, the Policy Server might duplicate login ID prefixes and suffixes that are already present in the ID extracted from the assertion.
    • If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the
      CA Single Sign-On
      User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
    When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
SAML_IDP_PASSWORD
  • Required
    Yes, if SAML_IDP_BACKCHANNEL_AUTH_TYPE is set to 0 or 1
  • Default
    None
  • Description
    The password to use for the back-channel authentication. The password is only used with the back-channel authentication types Basic and Client Cert.
SAML_IDP_PLUGIN_CLASS
  • Required
    No
  • Default
    None
  • Description
    The fully qualified name of a Java class that extends the functionality of this SAML 2.0 authentication scheme. The custom functionality is provided by an implementation of the interface MessageConsumerPlugin.java.
    Authentication has two phases-user disambiguation and user authentication (validation of the disambiguated user's credentials).
    If a plugin is configured for the authentication scheme, it is called as follows:
    • During user disambiguation, if the authentication scheme cannot disambiguate the user.
    Note: The plugin is not called in this phase if a search specification is not provided for the user directory where disambiguation is to occur (for example, SAML_IDP_LDAP_SEARCH_SPEC for an LDAP directory). In this case, the Policy Server performs the disambiguation, not the authentication scheme.
    • At the end of the default authentication phase, even if the user is validated successfully.
    A SAML 2.0 authentication scheme can be extended by only one message consumer plugin.
SAML_IDP_PLUGIN_PARAMS
  • Required
    No
  • Default
    None
  • Description
    Parameters to pass into the custom authentication scheme extension specified in SAML_IDP_PLUGIN_CLASS.
    The syntax of the parameter string is determined by the custom object.
SAML_IDP_REDIRECT_MODE_FAILURE
  • Required
    No
  • Default
    0
  • Description
    The redirection mode for SAML_IDP_REDIRECT_URL_FAILURE. Valid values:
    • 0. 302 No Data - HTTP 302 redirection. The URL for the target resource and the reason for the authentication failure are appended to the redirection URL. The SAML 2.0 Response message passed to the authentication scheme is not included.
    • 1. Http Post. - HTTP POST redirection. The SAML 2.0 Response message passed to the authentication scheme and the Identity Provider's ID are generated by an HTTP form.
SAML_IDP_REDIRECT_MODE_INVALID
  • Required
    No
  • Default
    0
  • Description
    The redirection mode for SAML_IDP_REDIRECT_URL_INVALID. Valid values:
    • 0. 302 No Data - HTTP 302 redirection. The URL for the target resource and the reason for the authentication failure are appended to the redirection URL. The SAML 2.0 Response message passed to the authentication scheme is not included.
    • 1. Http Post. - HTTP POST redirection. The SAML 2.0 Response message passed to the authentication scheme and the Identity Provider's ID are generated by an HTTP form.
SAML_IDP_REDIRECT_MODE_USER_NOT_FOUND
  • Required
    No
  • Default
    0
  • Description
    The redirection mode for SAML_IDP_REDIRECT_URL_USER_NOT_FOUND. Valid values:
    • 0. 302 No Data - HTTP 302 redirection. The URL for the target resource and the reason for the authentication failure are appended to the redirection URL. The SAML 2.0 Response message passed to the authentication scheme is not included.
    • 1. Http Post. - HTTP POST redirection. The SAML 2.0 Response message passed to the authentication scheme and the Identity Provider's ID are generated by an HTTP form.
SAML_IDP_REDIRECT_URL_FAILURE
  • Required
    No
  • Default
    None
  • Description
    The redirection URL to use when the authentication information passed to the authentication scheme is not accepted to authenticate the user.
SAML_IDP_REDIRECT_URL_INVALID
  • Required
    No
  • Default
    None
  • Description
    The redirection URL to use when the authentication information passed to the authentication scheme is not formatted according to the SAML 2.0 standard.
SAML_IDP_REDIRECT_URL_USER_NOT_FOUND
  • Required
    No
  • Default
    None
  • Description
    The redirection URL to use in either of these circumstances:
    • The authentication scheme cannot obtain a login ID from the SAML 2.0 Response message passed to it.
    • The authentication scheme cannot find the user in the user directory.
    If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
SAML_IDP_REQUIRE_ENCRYPTED_ASSERTION
  • Required
    No
  • Default
    0
  • Description
    Specifies whether the assertion selected for authentication must be encrypted. If this property is 1 and the authentication scheme is passed an unencrypted assertion, the assertion cannot be authenticated.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_REQUIRE_ENCRYPTED_NAMEID
  • Required
    No
  • Default
    0
  • Description
    Specifies whether the Name ID of the principal contained in the assertion must be encrypted. If this property is 1 and the the Name ID is not encrypted, the assertion cannot be authenticated.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_SAMLREQ_ATTRIBUTE_SERVICE
  • Required
    No
  • Default
    None
  • Description
    The URL of the Attribute Service on the Attribute Authority.
SAML_IDP_SAMLREQ_ENABLE
  • Required
    Yes
  • Default
    0
  • Description
    Indicates whether the SAML Requester is enabled.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_SAMLREQ_GET_ALL_ATTRIBUTES
  • Required
    No
  • Default
    0
  • Description
    Indicates whether the query sent to the Attribute Authority should contain no attributes. This is a short-hand for the Attribute Authority to return all defined attributes.
SAML_IDP_SAMLREQ_NAMEID_ALLOW_NESTED
  • Required
    No
  • Default
    0
  • Description
    Indicates whether nested groups are allowed when selecting a DN attribute for the name identifier.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_SAMLREQ_NAMEID_ATTR_NAME
  • Required
    Yes when NameIdTYpe is set to 1 or 2.
  • Default
    None
  • Description
    The attribute name (user or DN) that holds the identifier name when NameIdType is set to 1 or 2.
SAML_IDP_SAMLREQ_NAMEID_DN_SPEC
  • Required
    Yes when NamedIdTYpe is set to 2.
  • Default
    None
  • Description
    The DN specification used when the NameIdType is set to 2.
SAML_IDP_SAMLREQ_NAMEID_FORMAT
  • Required
    No
  • Default
    None
  • Description
    The URI for a SAML 2.0 name identifier.
SAML_IDP_SAMLREQ_NAMEID_STATIC
  • Required
    Yes when NameIdType is set to 0.
  • Default
    None
  • Description
    The static text to be used when NameIdType is set to 0.
SAML_IDP_SAMLREQ_NAMEID_TYPE
  • Required
    No
  • Default
    1 (user attribute)
  • Description
    Represents the type of the name identifier.
    Valid values: 0 (static text), 1 (user attribute), and 2 (DN attribute).
SAML_IDP_SAMLREQ_REQUIRE_SIGNED_ASSERTION
  • Required
    No
  • Default
    0
  • Description
    Indicates whether the assertion returned in response to an <AttributeQuery> must be signed.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_SAMLREQ_SIGN_ATTRIBUTE_QUERY
  • Required
    No
  • Default
    0
  • Description
    Indicates whether the attribute query must be signed.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_SIGN_AUTHNREQUESTS
  • Required
    No
  • Default
    0
  • Description
    Specifies whether authentication requests will be signed.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_SPID
  • Required
    Yes
  • Default
    None
  • Description
    The unique provider ID of the Service Provider being protected by this authentication scheme.
SAML_IDP_SPNAME
  • Required
    Yes, if SAML_IDP_BACKCHANNEL_AUTH_TYPE is set to 0 or 1
  • Default
    None
  • Description
    The name of the Service Provider involved in the back-channel authentication. The Service Provider name is used with the back-channel authentication types Basic and Client Cert.
SAML_IDP_SSO_DEFAULT_SERVICE
  • Required
    Yes
  • Default
    None
  • Description
    The URL of the Identity Provider's single sign-on service, for example:
    http://mysite.netegrity.com/affwebservices/public/saml2sso
SAML_IDP_SSO_ENFORCE_SINGLE_USE_POLICY
  • Required
    No
  • Default
    1
  • Description
    Specifies whether to enforce a single-use policy for HTTP POST binding.
    Setting this property to 1 (the default) ensures that an assertion cannot be ``replayed'' to a Service Provider site to establish a second session, in accordance with SAML POST-specific processing rules.
    The single-use policy requirement is enforced even in a clustered Policy Server environment with load-balancing and failover enabled.
    Valid values: 0 (false) and 1 (true).
SAML_IDP_SSO_REDIRECT_MODE
  • Required
    No
  • Default
    0
  • Description
    Specifies the method by which response attribute information is passed when the user is redirected to the target resource.
    A response passes user attributes, DN attributes, static text, or customized active responses from the Policy Server to a
    CA Single Sign-On
    Agent after the Agent isseus a login or authorization request. For more information about response attributes, see CreateAttribute().
    Valid values:
    • 0. 302 No Data - No response attributes are passed.
    • 1. 302 Cookie Data - Response attributes are set as HTTP cookie data. Attribute cookies issued by the authentication scheme are unencrypted.
    • 2. Server Redirect - Response attributes are passed as a HashMap object.
    Server-side redirects allow passing information to an application within the server application itself. Response attribute data is never sent to the user's browser. This redirection method is part of Java Servlet specification and is supported by all standards-compliant servlet containers.
SAML_IDP_SSO_TARGET
  • Required
    No
  • Default
    None
  • Description
    The URL of the target resource at the Service Provider site. For example, the target might be a web page or an application.
SAML_IDP_WINNT_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for WinNT directories. If user disambiguation is being performed on a user in a WinNT directory, but no search specification is provided, the default search specification defined on the User Directory Properties dialog is used.
    When defined for an affiliation, the search specification is shared by all Identity Providers across the affiliation.
    If you are extending the functionality of a SAML 2.0 authentication scheme with a custom message consumer plugin, the plugin will not be called in the user disambiguation phase if the Policy Server disambiguates the user with the default search specification defined on the
    CA Single Sign-On
    User Directory Properties dialog. For more information, see SAML_IDP_PLUGIN_CLASS.
SAML_IDP_XPATH
  • Required
    No
  • Default
    None
  • Description
    The XPath query that extracts the user's login ID from an assertion. The login ID is then used to disambiguate the user.
    By default, if no XPath is provided, an attempt is made to extract the login ID from the Assertion/Subject/NameID element of the SAML 2.0 Response message.
    Once successfully extracted, the login ID is inserted into the search string specified for the user directory, and the disambiguation phase begins.
    When defined for an affiliation, the XPath is shared by all Identity Providers across the affiliation.
SAML_KEY_AFFILIATION_ID
  • Required
    Yes
  • Default
    None
  • Description
    The URI for the affiliation. The ID is used to verify that a Service Provider and Identity Provider are members of the same affiliation-for example:
    • When a Service Provider issues an authentication request to an Identity Provider, the request includes the affiliation ID. The Identity Provider verifies that the Service Provider belongs to the specified affiliation.
    • When the Identity Provider generates an assertion and sends it back to the Service Provider, the assertion includes the affiliation ID. The Service Provider verifies that the Identity Provider belongs to the specified affiliation.
    • During single logout, the logout requests also contain the affiliation ID. Upon receiving a logout request, the Service Provider and the Identity Provider each verify that the other belongs to the specified affiliation.
    The affiliation ID is specified in the SPNameQualifier attribute of the requests and assertions.
SAML_KEY_IDP_SOURCEID
  • Required
    No
  • Default
    A hex-encoded SHA-1 hash of the SAML_KEY_IDPID value
  • Description
    A hex-encoded 20-byte sequence identifier for the artifact issuer. This value uniquely identifies the artifact issuer in the assertion artifact.
    The authentication scheme uses the source ID as a key to look up Identity Provider metadata.
    The string length must be exactly 40 characters. Only a lower case hex string will be stored.
SAML_KEY_IDPID
  • Required
    Yes
  • Default
    None
  • Description
    The provider ID of the Identity Provider for this authentication scheme. This ID:
    • Uniquely identifies the assertion issuer.
    • Serves as a key for looking up properties of the Identity Provider.
SAML_KEY_SPID
  • Required
    Yes
  • Default
    None
  • Description
    The unique provider ID of this Service Provider.
SAML_MAJOR_VERSION
  • Required
    No
  • Default
    2
  • Description
    The major version of the SAML protocol that is supported. If a value is supplied, it must be 2.
SAML_MINOR_VERSION
  • Required
    No
  • Default
    0
  • Description
    The minor version of the SAML protocol that is supported. If a value is supplied, it must be 0.
SAML_NAME
  • Required
    Yes
  • Default
    None
  • Description
    The name of the affiliation, authentication scheme, or Service Provider.
    The name must be globally unique. With SAML 2.0 affiliations and Service Providers, the name must be lower case.
SAML_OID
  • Required
    No, when the affiliation object is being created (
    CA Single Sign-On
    supplies the object identifier during object creation); it is required when custom code references an existing object
  • Default
    None
  • Description
    The unique object identifier for the affiliation object.
    The SAML Affiliation Properties dialog box has no corresponding field for this property.
SAML_SKEWTIME
  • Required
    No
  • Default
    30
  • Description
    The difference, in seconds, between the system clock time of the Identity Provider and the system clock time of the Service Provider, as follows:
    • With Service Providers, the number of seconds to be subtracted from the current time if its system clock is not synchronized with the Policy Server acting as an Identity Provider.
    • With Identity Providers, the number of seconds to be subtracted from the current time if its system clock is not synchronized with the Policy Server acting as a Service Provider.
    Skew time is used to calculate the validity duration of assertions and single logout requests. The value provided must be a String representing a positive integer.
SAML_SLO_REDIRECT_BINDING
  • Required
    No
  • Default
    0
  • Description
    Specifies whether HTTP redirect binding is supported for single logout.
    Valid values: 0 (false) and 1 (true).
    See also SAML_DSIG_VERINFO_ISSUER_DN and SAML_DSIG_VERINFO_SERIAL_NUMBER.
SAML_SLO_SERVICE_CONFIRM_URL
  • Required
    No
  • Default
    None
  • Description
    The URL where a user is redirected after single logout is completed.
SAML_SLO_SERVICE_RESPONSE_URL
  • Required
    No
  • Default
    None
  • Description
    The response location for the single logout service. This property allows SLO response messages to be sent to a different location from where request messages are sent.
SAML_SLO_SERVICE_URL
  • Required
    Yes, if SAML_SLO_REDIRECT_BINDING is 1
  • Default
    None
  • Description
    With HTTP-Redirect bindings, the Identity Provider URL where single logout requsts are sent.
SAML_SLO_SERVICE_VALIDITY_DURATION
  • Required
    No
  • Default
    60 (applies if a value is not provided and SAML_SLO_REDIRECT_BINDING is 1)
  • Description
    The number of seconds for which a single logout request is valid.
    The value provided must be a String representing a positive integer.
    See also SAML_SKEWTIME.
SAML_SP_ARTIFACT_ENCODING
  • Required
    No
  • Default
    FORM (applies if a value is not provided and SAML_ENABLE_SSO_ARTIFACT_BINDING is 1)
  • Description
    Specifies the encoding to use for the artifact binding. Valid values:
    • FORM. The artifact is form-encoded in a hidden control named SAMLart.
    • URL. The artifact is URL-encoded in a URL parameter named SAMLart.
    FORM and URL encoding is accomplished according to SAML 2.0 specifications.
SAML_SP_ASSERTION_CONSUMER_DEFAULT_URL
  • Required
    Yes
  • Default
    None
  • Description
    The Service Provider URL where generated assertions are sent, for example:
    http://mysite.netegrity.com/affwebservices/public/saml2assertionconsumer
SAML_SP_AUTHENTICATION_LEVEL
  • Required
    No
  • Default
    5
  • Description
    This property specifies the minimum protection level required for the authentication scheme that authenticates the principal associated with the current assertion.
SAML_SP_ATTRSVC_AD_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for an AD directory.
SAML_SP_ATTRSVC_CUSTOM_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for a custom directory.
SAML_SP_ATTRSVC_ENABLE
  • Required
    No
  • Default
    0
  • Description
    Indicates whether the Attribute Authority is enabled.
    Valid values: 0 (false) and 1 (true).
SAML_SP_ATTRSVC_LDAP_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for an LDAP directory.
SAML_SP_ATTRSVC_ODBC_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for an ODBC directory.
SAML_SP_ATTRSVC_REQUIRE_SIGNED_QUERY
  • Required
    No
  • Default
    None
  • Description
    Specifies whether the attribute query must be signed.
SAML_SP_ATTRSVC_SIGN_ASSERTION
  • Required
    No
  • Default
    0
  • Description
    Indicates whether the SAML assertion should be signed.
    Valid values: 0 (false) and 1 (true).
SAML_SP_ATTRSVC_SIGN_RESPONSE
  • Required
    No
  • Default
    0
  • Description
    Indicates whether the SAML response should be signed.
    Valid values: 0 (false) and 1 (true).
SAML_SP_ATTRSVC_VALIDITY_DURATION
  • Required
    No
  • Default
    60
  • Description
    The number of seconds for which a generated assertion is valid.
SAML_SP_ATTRSVC_WINNT_SEARCH_SPEC
  • Required
    No
  • Default
    None
  • Description
    Search specification for a WinNT directory.
SAML_SP_AUTHENTICATION_URL
  • Required
    Yes
  • Default
    None
  • Description
    The protected URL for authenticating users of this Service Provider.
SAML_SP_AUTHN_CONTEXT_CLASS_REF
  • Required
    No
  • Default
    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  • Description
    The class of information that a Service Provider may require to assess its confidence in an assertion. The class is specified in the assertion's AuthnContextClassRef element.
    For example, the default authentication context class is Password. This class applies when a principal authenticates through the presentation of a password over an unprotected HTTP session.
    Other examples of authentication context class include InternetProtocol (authentication through a provided IP address), X509 (authentication through an X.509 digital signature), and Telephony (authentication through the provision of a fixed-line telephone number transported via a telephony protocol).
    The authentication context class is a URI with the following initial stem:
    urn:oasis:names:tc:SAML:2.0:ac:classes:
    The SAML 2.0 authentication context specification defines the URIs that can be provided as authentication context classes. The class must also be appropriate for the authentication level defined for the Service Provider.
SAML_SP_COMMON_DOMAIN
  • Required
    Yes, if SAML_SP_ENABLE_IPD is 1
  • Default
    None
  • Description
    The common cookie domain for the Identity Provider Discovery profile. The domain must be a subset of the host specified in SAML_SP_IPD_SERVICE_URL.
SAML_SP_CUSTOM_TIME_OUT
  • Required
    No
  • Default
    None
  • Description
    Specifies the value of the SessionNotOnOrAfter parameter set in the assertion. This property is only valid if SAML_SP_SESSION_NOTORAFTER_TYPE is set to Custom.
SAML_SP_DOMAIN
  • Required
    No
  • Default
    None
  • Description
    The unique ID of the affiliate domain where the Service Provider is defined.
    The SAML Service Provider Properties dialog box has no corresponding field for this property.
SAML_SP_ENABLE_IPD
  • Required
    No
  • Default
    0
  • Description
    Specifies whether the Identity Provider Discovery profile is enabled.
    Valid values: 0 (false) and 1 (true).
SAML_SP_ENCRYPT_ASSERTION
  • Required
    No
  • Default
    0
  • Description
    Specifies whether to encrypt the generated assertion at the Service Provider site. By default, the assertion is not encrypted.
    Valid values: 0 (false) and 1 (true).
SAML_SP_ENCRYPT_BLOCK_ALGO
  • Required
    No
  • Default
    tripledes
  • Description
    The type of block encryption algorithm to use. Valid values:
    • tripledes. Data Encryption Standard using three separate 56-bit keys.
    • aes-128. Advanced Encryption Standard, key length is 128 bits.
    • aes-256. Advanced Encryption Standard, key length is 256 bits.
SAML_SP_ENCRYPT_CERT_ISSUER_DN
  • Required
    Yes, in either of the following circumstances:
    If either of the following is 1:
    • SAML_SP_ENCRYPT_ID
    • SAML_SP_ENCRYPT_ASSERTION
    If any assertion attribute statements require encryption. These attributes are defined on the Attributes tab of the SAML Service Provider Properties dialog box.
  • Default
    None
  • Description
    The Issuer DN portion of a public key certificate to be used for encryption. This property is used with SAML_SP_ENCRYPT_CERT_SERIAL_NUMBER to locate the Service Provider's certificate in the keystore if it is not provided inline.
SAML_SP_ENCRYPT_CERT_SERIAL_NUMBER
  • Required
    Yes, in either of the following circumstances:
    If either of the following is 1:
    • SAML_SP_ENCRYPT_ID
    • SAML_SP_ENCRYPT_ASSERTION
    If any assertion attribute statements require encryption. These attributes are defined on the Attributes tab of the SAML Service Provider Properties dialog box.
  • Default
    None
  • Description
    The serial number portion of a public key certificate to be used for encryption. This property is used with SAML_SP_ENCRYPT_CERT_ISSUER_DN to locate the Service Provider's certificate in the keystore if it is not provided inline.
SAML_SP_ENCRYPT_ID
  • Required
    No
  • Default
    0
  • Description
    Specifies whether the Name ID in the generated assertion should be encrypted at the Service Provider site. By default, the Name ID is not encrypted.
    Valid values: 0 (false) and 1 (true).
SAML_SP_ENCRYPT_KEY_ALGO
  • Required
    No
  • Default
    rsa-v15
  • Description
    The type of encryption key algorithm to use. Valid values:
    • rsa-v15. RSA encryption, version 1.5.
    • rsa-oaep. Optimal Asymmetric Encryption Padding encoding and RSA encryption.
SAML_SP_ENDTIME
  • Required
    No
  • Default
    None
  • Description
    The time by which an assertion must be generated.
    Use the Perl time() method to help assign a time to this property. The time value is stored as a string. For example:
    $SAML_SP_ENDTIME=SAML_SP_ENDTIME;
    $time=time() + 20;
    $serviceProvider->Property($SAML_SP_ENDTIME,"$time");
    This property is used with SAML_SP_STARTTIME to define a time restriction for the generation of assertions.
    Set SAML_SP_ENDTIME to 0 to end the time restriction immediately.
SAML_SP_IDP_SOURCEID
  • Required
    No
  • Default
    A hex-encoded SHA-1 hash of the SAML_SP_IDPID value
  • Description
    A hex-encoded 20-byte sequence identifier for the artifact issuer. This value uniquely identifies the artifact issuer in the assertion artifact.
    The string length must be exactly 40 characters. Only a lower case hex string will be stored.
SAML_SP_IDPID
  • Required
    Yes
  • Default
    None
  • Description
    The provider ID of the Identity Provider that generates the assertions.
SAML_SP_IGNORE_REQ_AUTHNCONTEXT
  • Required
    No
  • Default
    0
  • Description
    Specifies that the Identity Provider ignore "RequestedAuthnContext" in an incoming AuthnRequest message (value of 1), or not (Value of 0).
SAML_SP_IPD_SERVICE_URL
  • Required
    Yes, if SAML_SP_ENABLE_IPD is 1
  • Default
    None
  • Description
    The host URL for the Identity Provider Discovery profile.
SAML_SP_NAMEID_ATTRNAME
  • Required
    Yes, if SAML_SP_NAMEID_TYPE is set to 1 (User Attribute) or 2 (DN Attribute)
  • Default
    None
  • Description
    One of the following values:
    • When SAML_SP_NAMEID_TYPE is set to 1, this property specifies the name of the user attribute that contains the name identifier.
    • When SAML_SP_NAMEID_TYPE is set to 2, this property specifies the attribute associated with a group or organizational unit DN.
SAML_SP_NAMEID_DNSPEC
  • Required
    Yes, if SAML_SP_NAMEID_TYPE is set to 2 (DN Attribute)
  • Default
    None
  • Description
    A group or organizational unit DN used to obtain the associated Name ID attribute.
SAML_SP_NAMEID_FORMAT
  • Required
    No
  • Default
    Unspecified
  • Description
    The full URI for one of the following nameid-format values:
    • Unspecified
    • Email Address
    • X509 Subject Name
    • Windows Domain Qualified Name
    • Kerberos Principal Name
    • Entity Identifier
    • Persistent Identifier
    • Transient Identifier
    For example, the full URI for the default format Unspecified is:
    urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
    For descriptions of these formats, see the following SAML 2.0 specification:
    Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
    Note: If a SAML affiliation is specified in SAML_AFFILIATION, this and other SAML_SP_NAMEID... properties are not used.
    CA Single Sign-On
    uses the NAMEID information in the specified affiliation.
SAML_SP_NAMEID_STATIC
  • Required
    Yes, if SAML_SP_NAMEID_TYPE is set to 0 (Static)
  • Default
    None
  • Description
    The static text to be used for all name identifiers.
SAML_SP_NAMEID_TYPE
  • Required
    No
  • Default
    1
  • Description
    The type of name identifier. Valid values:
    • 0. Static text.
    • 1. User attribute.
    • 2. DN attribute.
SAML_SP_ONE_TIME_USE
  • Required
    No
  • Default
    False
  • Description
    Specifies whether the Assertion includes an element that indicates that the Assertion should be used only one time.
SAML_SP_PASSWORD
  • Required
    Yes, if SAML_ENABLE_SSO_ARTIFACT_BINDING is 1
  • Default
    None
  • Description
    The password to use for Service Provider access through the back channel.
SAML_SP_PERSISTENT_COOKIE
  • Required
    No
  • Default
    0
  • Description
    Specifies whether an Identity Provider Discovery profile cookie should be persistent.
    Applies only if SAML_SP_ENABLE_IPD is 1.
    Valid values: 0 (false) and 1 (true).
SAML_SP_PLUGIN_CLASS
  • Required
    No
  • Default
    None
  • Description
    The fully qualified Java class name of the assertion generator plug-in.
    An assertion generator plugin allows the content of an assertion to be customized. For more information, see the Java API Documentation.
SAML_SP_PLUGIN_PARAMS
  • Required
    No
  • Default
    None
  • Description
    Any parameters to pass into the assertion generator plug-in specified in SAML_SP_PLUGIN_CLASS.
SAML_SP_REQUIRE_SIGNED_AUTHNREQUESTS
  • Required
    No
  • Default
    0
  • Description
    Specifies whether authentication requests must be signed.
    Valid values: 0 (false) and 1 (true).
SAML_SP_REUSE_SESSION_INDEX
  • Required
    No
  • Default
    0
Description
Indicates whether
CA Single Sign-On
sends the same session index in the assertion for the same partner in a single browser session. If a user federates multiple times with the same partner using the same browser window, setting this property tells the IdP to send the same session index in each assertion. The default value (0) for the property instructs
CA Single Sign-On
to generate a new session index every time single sign-on occurs.
Valid values:
  • 0
    Do not reuse the same session index.
  • 1
    Reuse the same session index.
SAML_SP_SESSION_NOTORAFTER_TYPE
  • Required
    No
  • Default
    Use Assertion Validity
  • Description
This property determines the value set for the SessionNotOnOrAfter parameter in the assertion. A third-party SP can use the value of the SessionNotOnOrAfter to set its own session timeout.
If
CA Single Sign-On
is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, a
CA Single Sign-On
SP sets session timeouts based on the realm timeout that corresponds to the configured SAML authentication scheme that protects the target resource.
  • Use Assertion Validity
    Calculates the SessionNotOnOrAfter value based on the assertion validity duration.
  • Omit
    Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion.
  • IDP Session
    Calculates the SessionNotOnOrAfter value based on the IdP session timeout. The timeout is configured in the IdP realm for the authentication URL. Using this option can synchronize the IdP and SP session timeout values.
  • Custom
    Lets you specify a custom value for the SessionNotOnOrAfter parameter. If you select this option, enter a time in the SAML_SP_CUSTOM_TIME_OUT property.
SAML_SP_STARTTIME
  • Required
    No
  • Default
    None
  • Description
    The time when a time restriction for generating an assertion becomes effective.
    Use the Perl time() method to help assign a time to this property. The time value is stored as a string. For example:
    $SAML_SP_STARTTIME=SAML_SP_STARTTIME;
    $time=time() + 10;
    $serviceProvider->Property($SAML_SP_STARTTIME,"$time");
    This property is used with SAML_SP_ENDTIME to define a time restriction for the generation of assertions.
    Set SAML_SP_STARTTIME to 0 to start the time restriction immediately.
SAML_SP_VALIDITY_DURATION
  • Required
    No
  • Default
    60
  • Description
    The number of seconds for which a generated assertion is valid.
    The value provided must be a Strng representing a positive integer.
    See also SAML_SKEWTIME.
SAML_SSOECPPROFILE
  • Required
    No
  • Default
    0
  • Description
    Specifies whether the Identity Provider or Service Provider supports SAML 2.0 Enhanced Client and Proxy profile requests.
    Valid values: 0 (false) and 1 (true).
SAML2_CUSTOM_ENABLE_INVALID_REQUEST_URL
  • Required
    No
  • Default
    None
  • Description
    Specifies whether the custom error redirect process is enabled for an invalid request.
SAML2_CUSTOM_ENABLE_SERVER_ERROR_URL
  • Required
    No
  • Default
    None
  • Description
    Specifies whether the custom error redirect process is enabled for a server error.
SAML2_CUSTOM_ENABLE_INVALID_REQUEST_URL
  • Required
    No
  • Default
    None
  • Description
    Specifies whether the custom error redirect process is enabled for an invalid request.
SAML2_CUSTOM_INVALID_REQUEST_REDIRECT_MODE
  • Required
    No
  • Default
    None
  • Description
    Specifies the redirect mode for an invalid request. Valid values:
    • 0. 302 No Data — HTTP 302 redirection. The URL for the target resource and the reason for the authentication failure are appended to the redirection URL. The SAML 2.0 Response message passed to the authentication scheme is not included.
    • 1. Http Post. — HTTP POST redirection. The SAML 2.0 Response message passed to the authentication scheme and the Identity Provider’s ID are generated by an HTTP form.
SAML2_CUSTOM_INVALID_REQUEST_REDIRECT_URL
  • Required
    No
  • Default
    None
  • Description
    Specifies the redirect URL for an invalid request.
SAML2_CUSTOM_SERVER_ERROR_REDIRECT_MODE
  • Required
    No
  • Default
    None
  • Description
    Specifies the redirect mode for an internal server error. Valid values:
    • 0. 302 No Data — HTTP 302 redirection. The URL for the target resource and the reason for the authentication failure are appended to the redirection URL. The SAML 2.0 Response message passed to the authentication scheme is not included.
    • 1. Http Post. — HTTP POST redirection. The SAML 2.0 Response message passed to the authentication scheme and the Identity Provider’s ID are generated by an HTTP form.
SAML2_CUSTOM_SERVER_ERROR_REDIRECT_URL
  • Required
    No
  • Default
    None
  • Description
    Specifies the redirect URL for an internal server error .
SAML2_CUSTOM_UNAUTHORIZED_ACCESS_REDIRECT_MODE
  • Required
    No
  • Default
    None
  • Description
    Specifies the redirect mode for forbidden access. Valid values:
    • 0. 302 No Data — HTTP 302 redirection. The URL for the target resource and the reason for the authentication failure are appended to the redirection URL. The SAML 2.0 Response message passed to the authentication scheme is not included.
    • 1. Http Post. — HTTP POST redirection. The SAML 2.0 Response message passed to the authentication scheme and the Identity Provider’s ID are generated by an HTTP form.
SAML2_CUSTOM_UNAUTHORIZED_ACCESS_REDIRECT_URL
  • Required
    No
  • Default
    None
  • Description
    Specifies the redirect URL for a forbidden access error.