You can configure SAML as required.
Properties that are highlighted as cross-tenant properties can only be changed using ARIS Cloud Controller Command-line Tool. To change the settings, enter the following:
reconfigure umcadmin_<size of your installation, s, m, or l> JAVA-D<property name>="<value>"
Example
reconfigure umcadmin_m JAVA-Dcom.aris.umc.loadbalancer.url="https://myserver.com"
General
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.saml.active |
Use SAML Specifies whether an SAML-based login is allowed. |
true, false |
false |
com.aris.umc.saml.binding |
Binding Specifies the binding used for sending authentication requests to the identity provider. Defines how the redirecting of the authentication is performed. The options are Redirect or POST. |
|
POST |
com.aris.umc.saml.identity.provider.id |
Identity provider ID Specifies the ID of the identity provider. |
String |
|
com.aris.umc.saml.service.provider.id |
Service provider ID Specifies the ID of the service provider. |
String |
|
com.aris.umc.saml.identity.provider.sso.url |
Single sign-on URL Specifies the end point of the identity provider that is used for single sign-on. |
|
|
com.aris.umc.saml.identity.provider.logout.url |
Single logout URL Specifies the end point of the identity provider that is used for single log-out. |
|
|
Signature
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.saml.signature.assertion.active |
Enforce signing of assertions Enforces that SAML assertions must be signed. If set, all assertions received by the application must be signed. Assertions sent by the application are signed. |
true, false |
false |
com.aris.umc.saml.signature.request.active |
Enforce signing of requests Enforces that the SAML authentication requests must be signed. If set, all requests received by the application must be signed. Requests sent by the application are signed. |
true, false |
false |
com.aris.umc.saml.signature.response.active |
Enforce signing of responses Enforces that the SAML response must be signed. If set, all responses received by the application must be signed. Responses sent by the application are signed. |
true, false |
false |
com.aris.umc.saml.signature.metadata.active |
Enforce signing of metadata Enforces that the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed. |
true, false |
false |
com.aris.umc.saml.signature.algorithm |
Signature algorithm Specifies the algorithm for the signature. The algorithm can be selected from the list. |
String |
|
Keystore
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.saml.keystore.location |
Keystore Specifies the location of the keystore file used for validating SAML assertions. The keystore must have been uploaded previously. |
|
|
com.aris.umc.saml.keystore.alias |
Alias Specifies the alias name that is used to access the keystore. |
String |
|
com.aris.umc.saml.keystore.password |
Password Specifies the password that is used to access the keystore. |
String |
|
com.aris.umc.saml.keystore.type |
Type Specifies the type of the keystore to be used. The keystore type can be selected from a list. |
String |
JKB |
Truststore
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.saml.truststore.location |
Truststore Specifies the location of the truststore file used for validating SAML assertions. The truststore must have been uploaded previously. |
|
|
com.aris.umc.saml.truststore.alias |
Alias Specifies the alias to be used for accessing the truststore. |
String |
|
com.aris.umc.saml.truststore.password |
Password Specifies the password to be used for accessing the truststore. |
String |
|
com.aris.umc.saml.truststore.type |
Type Specifies the type of the truststore. |
String |
JKB |
User attributes
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.saml.attribute.fname |
First name Specifies the attribute name to be used for reading first names from a SAML assertion. |
String |
John |
com.aris.umc.saml.attribute.lname |
Last name Specifies the attribute name to be used for reading last names from a SAML assertion. |
String |
Doe |
com.aris.umc.saml.attribute.email |
E-mail address Specifies the attribute name to be used for reading e-mail addresses from a SAML assertion. |
String |
jd@company.com |
com.aris.umc.saml.attribute.phone |
Telephone number Specifies the attribute name to be used for reading phone numbers from a SAML assertion. |
Integer |
01234567 |
com.aris.umc.saml.attribute.memberof |
Member of Attribute that references the groups of a user. |
String |
Main group |
com.aris.umc.saml.attribute.userdefined |
User-defined Comma-separated list of attributes to be imported as user-defined attributes of the user. |
|
|
Advanced settings
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.saml.login.mode.dn.active |
Login using DN Specifies whether login is to be tried using the fully qualified name instead of the user name. |
true, false |
|
com.aris.umc.saml.login.mode.keyword.active |
Decompose DN Specifies whether the fully qualified name is to be decomposed. |
true, false |
|
com.aris.umc.saml.login.mode.keyword.name |
Keyword Specifies which part of the fully qualified name is to be used for login. |
true, false |
|
com.aris.umc.saml.auth.context.class.refs |
Authentication context classes Specifies the authentication context classes to request, meaning which strength of the authentication is defined. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact. |
String |
|
com.aris.umc.saml.auth.context.comparison |
Authentication context comparison Specifies the authentication context comparison to request, meaning you specify whether other authentication procedures are allowed or not. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact. |
String |
|
com.aris.umc.saml.auth.nameid.format |
NameID format Specifies in which format the user ID is transferred to ARIS Administration. |
String |
|
com.aris.umc.saml.login.users.create |
Automatically create user Defines whether or not the user specified in the SAML assertion should be created automatically if the user does not already exist. The default value is false. The following restrictions apply to automatically created users:
|
true, false |
false |
com.aris.umc.saml.assertion.timeoffset |
Clock skew (in seconds) Specifies the time offset between identity provider and service provider in seconds. Assertions are accepted if they are received within the permitted time frame. |
|
60 |
com.aris.umc.saml.service.provider.urls |
Allowed service provider URLs Comma-separated list of service provider URLs that are allowed to request that the user administration initiates the use of SSO. |
|
|
com.aris.umc.saml.assertion.ttl |
Assertion lifetime (in seconds) Specifies the maximum lifetime of a SAML assertion in seconds. |
|
10 |
com.aris.umc.saml.service.provider.assertion.consumer.url.overwrite |
Assertion consumer service URL Specifies that the Assertion Consumer Service URL used in SAML authentication requests can be overwritten. The URL must be specified in the format of http(s)://hostname/umc/rest/saml/initsso. If no specification is made, the URL is derived from the HTTP request. |
|
|
com.aris.umc.saml.tenant |
Default tenant Specifies the default tenant that is to be used for the SAML-based login. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual. |
String |
default |