You can configure SAML as required.
You can change properties that are highlighted as cross-tenant properties only by using the ARIS Cloud Controller command-line tool. To change the settings, enter the following:
reconfigure umcadmin_<size of your installation, s, m, or l> JAVA-D<property name>="<value>"
Example
reconfigure umcadmin_m JAVA-Dcom.aris.umc.loadbalancer.url="https://myserver.com"
General
Key |
Description |
---|---|
com.aris.umc.saml.active |
Use SAML Specifies whether an SAML-based login is allowed. Valid input true, false Example False |
com.aris.umc.saml.binding |
Binding Specifies the binding used for sending authentication requests to the identity provider. Defines how the redirecting of the authentication is performed. The options are Redirect or POST. Example POST |
com.aris.umc.saml.identity.provider.id |
Identity provider ID Specifies the ID of the identity provider. Valid input String |
com.aris.umc.saml.service.provider.id |
Service provider ID Specifies the ID of the service provider. Valid input String |
com.aris.umc.saml.identity.provider.sso.url |
Single sign-on URL Specifies the end point of the identity provider that is used for single sign-on. |
com.aris.umc.saml.identity.provider.logout.url |
Single logout URL Specifies the end point of the identity provider that is used for single log-out. |
Signature
Key |
Description |
---|---|
com.aris.umc.saml.signature.assertion.active |
Enforce signing of assertions Enforces that SAML assertions must be signed. If set, all assertions received by the application must be signed. Assertions sent by the application are signed. Valid input true, false Example False |
com.aris.umc.saml.signature.request.active |
Enforce signing of requests Enforces that the SAML authentication requests must be signed. If set, all requests received by the application must be signed. Requests sent by the application are signed. Valid input true, false Example False |
com.aris.umc.saml.signature.response.active |
Enforce signing of responses Enforces that the SAML response must be signed. If set, all responses received by the application must be signed. Responses sent by the application are signed. Valid input true, false Example False |
com.aris.umc.saml.signature.metadata.active |
Enforce signing of metadata Enforces that the SAML metadata must be signed. If set, the service provider metadata file provided by the application is signed. Valid input true, false Example False |
com.aris.umc.saml.signature.algorithm |
Signature algorithm Specifies the algorithm for the signature. The algorithm can be selected from the list. Valid input String |
Keystore
Key |
Description |
---|---|
com.aris.umc.saml.keystore.location |
Keystore Specifies the location of the keystore file used for validating SAML assertions. The keystore must have been uploaded previously. |
com.aris.umc.saml.keystore.alias |
Alias Specifies the alias name that is used to access the keystore. Valid input String |
com.aris.umc.saml.keystore.password |
Password Specifies the password that is used to access the keystore. Valid input String |
com.aris.umc.saml.keystore.type |
Type Specifies the type of the keystore to be used. The keystore type can be selected from a list. Valid input String Example JKB |
Truststore
Key |
Description |
---|---|
com.aris.umc.saml.truststore.location |
Truststore Specifies the location of the truststore file used for validating SAML assertions. The truststore must have been uploaded previously. |
com.aris.umc.saml.truststore.alias |
Alias Specifies the alias to be used for accessing the truststore. Valid input String |
com.aris.umc.saml.truststore.password |
Password Specifies the password to be used for accessing the truststore. Valid input String |
com.aris.umc.saml.truststore.type |
Type Specifies the type of the truststore. Valid input String Example JKB |
User attributes
Key |
Description |
---|---|
com.aris.umc.saml.attribute.fname |
First name Specifies the attribute name to be used for reading first names from a SAML assertion. Valid input String Example John |
com.aris.umc.saml.attribute.lname |
Last name Specifies the attribute name to be used for reading last names from a SAML assertion. Valid input String Example Doe |
com.aris.umc.saml.attribute.email |
E-mail address Specifies the attribute name to be used for reading e-mail addresses from a SAML assertion. Valid input String Example jd@company.com |
com.aris.umc.saml.attribute.phone |
Telephone number Specifies the attribute name to be used for reading phone numbers from a SAML assertion. Valid input Integer Example 01234567 |
com.aris.umc.saml.attribute.memberof |
Member of Attribute that references the groups of a user. Valid input String Example Main group |
com.aris.umc.saml.attribute.userdefined |
User-defined Comma-separated list of attributes to be imported as user-defined attributes of the user. |
Advanced settings
Key |
Description |
---|---|
com.aris.umc.saml.login.mode.dn.active |
Login using DN Specifies whether login is to be tried using the fully qualified name instead of the user name. Valid input true, false |
com.aris.umc.saml.login.mode.keyword.active |
Decompose DN Specifies whether the fully qualified name is to be decomposed. Valid input true, false |
com.aris.umc.saml.login.mode.keyword.name |
Keyword Specifies which part of the fully qualified name is to be used for login. Valid input true, false |
com.aris.umc.saml.auth.context.class.refs |
Authentication context classes Specifies the authentication context classes to request, meaning which strength of the authentication is defined. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact. |
com.aris.umc.saml.auth.context.comparison |
Authentication context comparison Specifies the authentication context comparison to request, meaning you specify whether other authentication procedures are allowed or not. For example, you specify that users must use Kerberos if you define Microsoft® Windows as the Authentication context class and the Authentication context comparison as exact. Valid input String |
com.aris.umc.saml.auth.nameid.format |
NameID format Specifies in which format the user ID is transferred to ARIS Administration. Valid input String |
com.aris.umc.saml.login.users.create |
Automatically create user Defines whether or not the user specified in the SAML assertion should be created automatically if the user does not already exist. The default value is false. The following restrictions apply to automatically created users:
Valid input true, false Example False |
com.aris.umc.saml.assertion.timeoffset |
Clock skew (in seconds) Specifies the time offset between identity provider and service provider in seconds. Assertions are accepted if they are received within the permitted time frame. Example 60 |
com.aris.umc.saml.service.provider.urls |
Allowed service provider URLs Comma-separated list of service provider URLs that are allowed to request that the user administration initiates the use of SSO. |
com.aris.umc.saml.assertion.ttl |
Assertion lifetime (in seconds) Specifies the maximum lifetime of a SAML assertion in seconds. Example 10 |
com.aris.umc.saml.service.provider.assertion.consumer.url.overwrite |
Assertion Consumer Service URL Specifies that the Assertion Consumer Service URL used in SAML authentication requests can be overwritten. The URL must be specified in the format of http(s)://hostname/umc/rest/saml/initsso. If no specification is made, the URL is derived from the HTTP request. |
com.aris.umc.saml.tenant |
Default tenant Specifies the default tenant that is to be used for the SAML-based login. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual. Valid input String Example default |