SAML SSO Web Profile Authentication Resource Template
SAML SSO Web Profile Authentication Resource Template provides configuration fields for SAML SSO Web Profile Authentication.
General Tab
| Property | Description |
|---|---|
| Entity Id (Required) | Unique identifier for the service provider. This must be the same as that configured in the IdP
Example: https://host:port/saml/saml/metadata |
| Authentication Successful URL (Required) | URL for authentication successful landing page
Example: /landing |
| IDP Metadata Source (Required) | SAML Metadata describes service provider or identity provider. |
| IDP Metadata URL (Required) | Location of IdP Metadata source file (if IDP String Metadata option is selected) or
HTTP URL of IdP Metadata (if IDP HTTP Metadata URL option is selected) Example: Google: D:\SAML\GoogleIDPMetadata.xml ADFS: https://idp-alias/Metadata.xml |
| IDP Login URL (Required) | URL to initiate SAML login
Example: /login |
| IDP Logout URL (Required) | URL to initiate SAML logout
Example: /logout |
| IDP SSO URL (Required) | URL where SAML assertions are posted back by IdP
Example: /SSO |
| IDP Single Logout URL (Required) | URL where logout response is sent back by IdP
Example: /SingleLogout |
| Logout Successful URL (Required) | URL for logout successful landing page
Example: /loggedOut |
| Authentication Failure URL (Required) | URL for authentication failure landing page
Example: /error |
| Response Skew Time (seconds) (Required) | Duration for which response from IdP is valid
Example: 60 seconds |
| Unauthorize Redirect Requests (Optional) | By default this check box is not selected for SOA applications
For TIBCO ActiveMatrix BPM applications this check box must be selected. |
| Max Authentication Age (seconds) (Optional) |
You can configure this field to ensure that the existing SAML assertion returned by the IdP is not older than the value specified in this field. Default value: 7200 seconds |
| Local Logout (Optional) | Select the check box if you are using Google IdP |
Advanced Tab
You can sign or encrypt SAML requests and responses for advanced security. The Advanced tab provides configuration fields for signing or encrypting SAML requests and responses. You must provide valid public key or certificate to the IdP so that it can identify signed requests. For more information about keystore, see Keystores.
| Property | Description |
|---|---|
|
Keystore Provider (Required) |
The name of a Keystore Provider shared resource |
| Sign Authentication Request (Optional) | If you select this check box, authentication request by service provider must be signed. You must provide valid public key or certificate to the IdP so that it can identify signed requests. |
| Sign Logout Request (Optional) | Select the check box to sign logout request |
| Sign Logout Response (Optional) | If you select this check box, the IdP must sign the logout response before returning it to the service provider. |
| Sign Assertions (Optional) | Select the check box to sign SAML assertions |
| Sign Metadata (Optional) | Select the check box to sign SAML metadata |
| Encrypt Assertion (Optional) | Select the check box to encrypt SAML assertion |
| Key Alias to Encrypt and Key Alias Password (Optional) | Name of the key alias used for encryption and password for the alias |
| Key Alias to Sign and Key Alias Password (Optional) | Name of the key alias used to sign and password for the alias |
| Default Key Alias and Key Alias Password (Required) | Name of the default key alias and password for the alias |