Configuring Profiles for SAML
Under the Security Infrastructure (SIN), you can configure the security properties that are set during server startup. The configuration file com.softwareag.sso.pid.properties is located in the Software AG_directory /profiles/profile/configuration/com.softwareag.platform. config.propsloader directory.
The default configuration is:
com.softwareag.security.idp.keystore.keyalias=ssos
com.softwareag.security.idp.SSOassertion.lifeperiod=5
com.softwareag.security.idp.keystore.type=JKS
com.softwareag.security.idp.assertion.skew=30
com.softwareag.security.idp.truststore.location=/common/conf/
platform_truststore.jks
com.softwareag.security.idp.truststore.password=manage
com.softwareag.security.idp.keystore.location=/common/conf/keystore.jks
enabled=false
com.softwareag.security.idp.keystore.password=manage
com.softwareag.security.idp.truststore.keyalias=ssos
com.softwareag.security.idp.assertion.lifeperiod=300
com.softwareag.security.idp.truststore.type=JKS
Configuring truststores and keystores
The configuration allows you to specify the location of truststore and keystore files relative to the installation directory:
com.softwareag.security.idp.keystore.location=/common/conf/keystore.jks
com.softwareag.security.idp.truststore.location=/common/conf/
platform_truststore.jks
To use absolute paths for configuring truststore and keystore files, add these two properties to the configuration file:
com.softwareag.security.idp.keystore.location.isabsolute=true
com.softwareag.security.idp.truststore.location.isabsolute=true
Time Skew
If a SAML assertion is issued on one physical machine and validated on another, but the two machines are not synchronized with a time server, the validation phase may fail. By default, SIN allows a time skew of 30 seconds.
To modify the time skew value, use the following property:
com.softwareag.security.idp.assertion.skew=n
where n is the time in seconds.
Ehcache Configuration
SIN uses Ehcache to ensure that a single sign-on (SSO) assertion cannot be used more than one time. The default time to live of an SSO assertion in Ehcache is 120 seconds. The location of the Ehcache configuration file relative to the installation directory is defined in the SIN configuration file using this property:
com.softwareag.security.idp.ehcache.location=/ehcachesin.xml
To use an absolute path for location of the ehcachesin.xml file, add this property to the configuration file:
com.softwareag.security.idp.ehcache.location.isabsolute=true
To modify the time Ehcache time-to-live value, use the following property:
com.softwareag.security.idp.ehcache.ttl=n
where n is the time in seconds.