SAML keys

You can configure SAML as required.

Properties that are highlighted as cross-tenant properties can only be changed using ARIS Cloud Controller Command-line Tool. To change the settings, enter the following:

reconfigure umcadmin_<size of your installation, s, m, or l> JAVA-D<property name>="<value>"

Example

reconfigure umcadmin_m JAVA-Dcom.aris.umc.loadbalancer.url="https://myserver.com"

General

Key

Description

Valid input

Example

com.aris.umc.saml.active

Use SAML

Specifies whether an SAML-based login is allowed.

true, false

false

com.aris.umc.saml.binding

Binding

Specifies the binding used for sending authentication requests to the identity provider. Defines how the redirecting of the authentication is performed. The options are Redirect or POST.

 

POST

com.aris.umc.saml.identity.provider.id

Identity provider ID

Specifies the ID of the identity provider.

String

 

com.aris.umc.saml.service.provider.id

Service provider ID

Specifies the ID of the service provider.

String

 

com.aris.umc.saml.identity.provider.sso.url

Single sign-on URL

Specifies the end point of the identity provider that is used for single sign-on.

 

 

com.aris.umc.saml.identity.provider.logout.url

Single logout URL

Specifies the end point of the identity provider that is used for single log-out.

 

 

Signature

Key

Description

Valid input

Example

com.aris.umc.saml.signature.assertion.active

Enforce signing of assertions

Enforces that SAML assertions must be signed. If set, all assertions received by the application must be signed. Assertions sent by the application are signed.

true, false

false

com.aris.umc.saml.signature.request.active

Enforce signing of requests

Enforces that the SAML authentication requests must be signed. If set, all requests received by the application must be signed. Requests sent by the application are signed.

true, false

false

com.aris.umc.saml.signature.response.active

Enforce signing of responses

Enforces that the SAML response must be signed. If set, all responses received by the application must be signed. Responses sent by the application are signed.

true, false

false

com.aris.umc.saml.signature.metadata.active

Enforce signing of metadata

Enforces that the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed.

true, false

false

com.aris.umc.saml.signature.algorithm

Signature algorithm

Specifies the algorithm for the signature. The algorithm can be selected from the list.

String

 

Keystore

Key

Description

Valid input

Example

com.aris.umc.saml.keystore.location

Keystore

Specifies the location of the keystore file used for validating SAML assertions. The keystore must have been uploaded previously.

 

 

com.aris.umc.saml.keystore.alias

Alias

Specifies the alias name that is used to access the keystore.

String

 

com.aris.umc.saml.keystore.password

Password

Specifies the password that is used to access the keystore.

String

 

com.aris.umc.saml.keystore.type

Type

Specifies the type of the keystore to be used. The keystore type can be selected from a list.

String

JKB

Truststore

Key

Description

Valid input

Example

com.aris.umc.saml.truststore.location

Truststore

Specifies the location of the truststore file used for validating SAML assertions. The truststore must have been uploaded previously.

 

 

com.aris.umc.saml.truststore.alias

Alias

Specifies the alias to be used for accessing the truststore.

String

 

com.aris.umc.saml.truststore.password

Password

Specifies the password to be used for accessing the truststore.

String

 

com.aris.umc.saml.truststore.type

Type

Specifies the type of the truststore.

String

JKB

User attributes

Key

Description

Valid input

Example

com.aris.umc.saml.attribute.fname

First name

Specifies the attribute name to be used for reading first names from a SAML assertion.

String

John

com.aris.umc.saml.attribute.lname

Last name

Specifies the attribute name to be used for reading last names from a SAML assertion.

String

Doe

com.aris.umc.saml.attribute.email

E-mail address

Specifies the attribute name to be used for reading e-mail addresses from a SAML assertion.

String

jd@company.com

com.aris.umc.saml.attribute.phone

Telephone number

Specifies the attribute name to be used for reading phone numbers from a SAML assertion.

Integer

01234567

com.aris.umc.saml.attribute.memberof

Member of

Attribute that references the groups of a user.

String

Main group

com.aris.umc.saml.attribute.userdefined

User-defined

Comma-separated list of attributes to be imported as user-defined attributes of the user.

 

 

Advanced settings

Key

Description

Valid input

Example

com.aris.umc.saml.login.mode.dn.active

Login using DN

Specifies whether login is to be tried using the fully qualified name instead of the user name.

true, false

 

com.aris.umc.saml.login.mode.keyword.active

Decompose DN

Specifies whether the fully qualified name is to be decomposed.

true, false

 

com.aris.umc.saml.login.mode.keyword.name

Keyword

Specifies which part of the fully qualified name is to be used for login.

true, false

 

com.aris.umc.saml.auth.context.class.refs

Authentication context classes

Specifies the authentication context classes to request, meaning which strength of the authentication is defined. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact.

String

 

com.aris.umc.saml.auth.context.comparison

Authentication context comparison

Specifies the authentication context comparison to request, meaning you specify whether other authentication procedures are allowed or not. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact.

String

 

com.aris.umc.saml.auth.nameid.format

NameID format

Specifies in which format the user ID is transferred to ARIS Administration.

String

 

com.aris.umc.saml.login.users.create

Automatically create user

Defines whether or not the user specified in the SAML assertion should be created automatically if the user does not already exist. The default value is false. The following restrictions apply to automatically created users:

  • The Login attribute is set to the name specified in the assertion.
  • The distinguished name attribute is set to the name specified in the assertion (only if the name is in an appropriate format).
  • A manual login is not possible if the password and e-mail attributes are not maintained.

true, false

false

com.aris.umc.saml.assertion.timeoffset

Clock skew (in seconds)

Specifies the time offset between identity provider and service provider in seconds. Assertions are accepted if they are received within the permitted time frame.

 

60

com.aris.umc.saml.service.provider.urls

Allowed service provider URLs

Comma-separated list of service provider URLs that are allowed to request that the user administration initiates the use of SSO.

 

 

com.aris.umc.saml.assertion.ttl

Assertion lifetime (in seconds)

Specifies the maximum lifetime of a SAML assertion in seconds.

 

10

com.aris.umc.saml.service.provider.assertion.consumer.url.overwrite

Assertion consumer service URL

Specifies that the Assertion Consumer Service URL used in SAML authentication requests can be overwritten. The URL must be specified in the format of http(s)://hostname/umc/rest/saml/initsso. If no specification is made, the URL is derived from the HTTP request.

 

 

com.aris.umc.saml.tenant

Default tenant

Specifies the default tenant that is to be used for the SAML-based login.

Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual.

String

default