Parameter | Specify |
Issuer Name | Name of a SAML token issuer from which Integration Server should accept and process SAML assertions. This value must match the value of the Issuer field in the SAML assertion. Integration Server will reject SAML assertions from issuers not configured on this screen and will log a message similar to the following to the Server log: 2010-06-09 23:35:38 EDT [ISS.0012.0025E] Rejecting SAML assertion from issuer "SAMPLE_STS" because issuer is not configured on the Security > SAML screen. |
Truststore Alias | A text identifier for the truststore, which contains the public keys of the SAML token issuer. Integration Server populates the Truststore Alias list with the existing truststore aliases. |
Certificate Alias | A text identifier for the certificate associated with the truststore alias. Integration Server populates the Certificate Alias list with the certificate aliases from the selected truststore alias. |
Clock Skew | Clock difference, in milliseconds, between the machine that hosts Integration Server and the SAML token issuer. Specify a non-negative number. For example, if the clock on the Integration Server machine and the issuer clock have 3 seconds time difference, you could specify a skew of 3001 milliseconds. To allow for some buffer, you could specify a slightly higher skew such as 3200 or even 4000. After parsing the SAML Assertion, Integration Server converts the timestamps into milliseconds and performs all validations using the milliseconds. As a result, SAML validation performed by Integration Server supports the use of different time zones for an issuer and Integration Server. When validating the NotBefore claim, Integration Server subtracts the clock skew from the NotBefore time found in the assertion (where the timestamp is now expressed in milliseconds). Then Integration Server compares the adjusted NotBefore time to the current time on the machine that hosts Integration Server to verify that the time on the Integration Server machine is lower than the adjusted NotBefore time. When validating the NotAfter claim, Integration Server subtracts the clock skew from the current time (as expressed in milliseconds). Then Integration Server compares the adjusted current time to the NotAfter time found in the assertion to ensure that the NotAfter time is greater than or equal to the adjusted current time. |