SAML keys

You can configure SAML as required.

General

Use SAML

Description

Specifies whether an SAML-based login is allowed.

Key

com.aris.umc.saml.active

Valid input

true, false

Binding

Description

Specifies the binding used for sending authentication requests to the identity provider. Defines how the redirecting of the authentication is performed. The options are Redirect or POST.

Key

com.aris.umc.saml.binding

Selected input

POST, Redirect

Example

POST

Identity provider ID

Description

Specifies the ID of the identity provider.

Key

com.aris.umc.saml.identity.provider.id

Valid input

String

Service provider ID

Description

Specifies the ID of the service provider.

Key

com.aris.umc.saml.service.provider.id

Valid input

String

Example

UMC@<yourarisserver>

Where <yourarisserver> is the actual name of your server.

Single sign-on URL

Description

Specifies the end point of the identity provider that is used for single sign-on.

Key

com.aris.umc.saml.identity.provider.sso.url

Valid input

URL

Example

https://yourserver:8443/openam/SSOPOST/metaAlias/MSAD/idp

Single logout URL

Description

Specifies the end point of the identity provider that is used for single log-out.

Key

com.aris.umc.saml.identity.provider.logout.url

Valid input

URL

Example

https://yourserver:8443/openam/IDPSloPOST/metaAlias/MSAD/idp

Signature

Enforce signing of assertions

Description

Enforces that SAML assertions must be signed. If set, all assertions received by the application must be signed. Assertions sent by the application are signed.

Key

com.aris.umc.saml.signature.assertion.active

Valid input

true, false

Enforce signing of requests

Description

Enforces that the SAML authentication requests must be signed. If set, all requests received by the application must be signed. Requests sent by the application are signed.

Key

com.aris.umc.saml.signature.request.active

Valid input

true, false

Enforce signing of responses

Description

Enforces that the SAML response must be signed. If set, all responses received by the application must be signed. Responses sent by the application are signed.

Key

com.aris.umc.saml.signature.response.active

Valid input

true, false

Enforce signing of metadata

Description

Enforces that the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed.

Key

com.aris.umc.saml.signature.metadata.active

Valid input

true, false

Signature algorithm

Description

Specifies the algorithm for the signature. The algorithm can be selected from the list.

Key

com.aris.umc.saml.signature.algorithm

Valid input

String

Keystore

Keystore

Description

Specifies the location of the keystore file used for validating SAML assertions. Specify all values for the keystore and then upload the keystore file.

Key

com.aris.umc.saml.keystore.location

Valid input

File with extension .jks or .keystore.

Alias

Description

Specifies the alias name that is used to access the keystore.

Key

com.aris.umc.saml.keystore.alias

Valid input

String

Password

Description

Specifies the password that is used to access the keystore.

Key

com.aris.umc.saml.keystore.password

Valid input

String

Type

Description

Specifies the type of the keystore to be used. The keystore type can be selected from a list.

Key

com.aris.umc.saml.keystore.type

Valid input

List item

Example

JKS

Truststore

Truststore

Description

Specifies the location of the truststore file used for validating SAML assertions. Specify all values for the truststore and then upload the truststore file.

Key

com.aris.umc.saml.truststore.location

Valid input

File with extension .jks or .truststore.

Alias

Description

Specifies the alias to be used for accessing the truststore.

Key

com.aris.umc.saml.truststore.alias

Valid input

String

Password

Description

Specifies the password to be used for accessing the truststore.

Key

com.aris.umc.saml.truststore.password

Valid input

String

Type

Description

Specifies the type of the truststore.

Key

com.aris.umc.saml.truststore.type

Valid input

List item

Example

JKS

User attributes

First name

Description

Specifies the attribute name to be used for reading first names from a SAML assertion.

Key

com.aris.umc.saml.attribute.fname

Valid input

String

Last name

Description

Specifies the attribute name to be used for reading last names from a SAML assertion.

Key

com.aris.umc.saml.attribute.lname

Valid input

String

E-mail address

Description

Specifies the attribute name to be used for reading e-mail addresses from a SAML assertion.

Key

com.aris.umc.saml.attribute.email

Valid input

E-mail address

Telephone number

Description

Specifies the attribute name to be used for reading phone numbers from a SAML assertion.

Key

com.aris.umc.saml.attribute.phone

Valid input

String

Member of

Description

Attribute that references the groups of a user.

Key

com.aris.umc.saml.attribute.memberof

Valid input

String

Example

Main group

User-defined

Description

Comma-separated list of attributes to be imported as user-defined attributes of the user.

Key

com.aris.umc.saml.attribute.userdefined

Valid input

Comma-separated list

Advanced settings

Login using DN

Description

Specifies whether login is to be tried using the fully qualified name instead of the user name.

Key

com.aris.umc.saml.login.mode.dn.active

Valid input

true, false

Decompose DN

Description

Specifies whether the fully qualified name is to be decomposed.

Key

com.aris.umc.saml.login.mode.keyword.active

Valid input

true, false

Keyword

Description

Specifies which part of the fully qualified name is to be used for login.

Key

com.aris.umc.saml.login.mode.keyword.name

Valid input

true, false

Authentication context classes

Description

Specifies the authentication context classes to request, meaning which strength of the authentication is defined. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact.

Key

com.aris.umc.saml.auth.context.class.refs

Valid input

Selection

Example

Passwort/ProtectedTransport

Authentication context comparison

Description

Specifies the authentication context comparison to request, meaning you specify whether other authentication procedures are allowed or not. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact.

Key

com.aris.umc.saml.auth.context.comparison

Valid input

String

NameID format

Description

Specifies in which format the user ID is transferred to ARIS Administration.

Key

com.aris.umc.saml.auth.nameid.format

Valid input

String

Automatically create user

Description

Defines whether or not the user specified in the SAML assertion should be created automatically if the user does not already exist. The following restrictions apply to automatically created users:

Key

com.aris.umc.saml.login.users.create

Valid input

true, false

Default value

false

Clock skew (in seconds)

Description

Specifies the time offset between identity provider and service provider in seconds. Assertions are accepted if they are received within the permitted time frame.

Key

com.aris.umc.saml.assertion.timeoffset

Valid input

Integer > 0

Allowed service provider URLs

Description

Comma-separated list of service provider URLs that are allowed to request that the user administration initiates the use of SSO.

Key

com.aris.umc.saml.service.provider.urls

Valid input

Comma-separated list

Assertion lifetime (in seconds)

Description

Specifies the maximum lifetime of a SAML assertion in seconds.

Key

com.aris.umc.saml.assertion.ttl

Valid input

Integer > 0

Assertion consumer service URL

Description

Specifies that the Assertion Consumer Service URL used in SAML authentication requests can be overwritten. The URL must be specified in the format of http(s)://hostname/umc/rest/saml/initsso. If no specification is made, the URL is derived from the HTTP request.

Key

com.aris.umc.saml.service.provider.assertion.consumer.url.overwrite

Valid input

URL

Default tenant

Description

Specifies the default tenant that is to be used for the SAML-based login. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual.

Key

com.aris.umc.saml.tenant

Valid input

String