SAMLAssertIssuerLoginModule
Use SAMLAssertIssuerLoginModule to issue a SAML1.1 or SAML 2 assertion as a delegation ticket among Software AG products.
You can only use the SAMLAssertIssuerLoginModule in a chain of login modules. Using this login module on its own, in a separate login context, is not possible, because it is the other modules in a given login context that perform the actual authentication of the user. When the authentication is successful, SAMLAssertIssuerLoginModule issues a SAML assertion where the fully qualified name of the authenticated user is part of the Subject of the AuthenticationStatement attribute of the SAML 1.1 assertion and the SubjectConfirmation attribute of the SAML 2 assertion. Optionally, the assertion contains a list of groups (where such are available) as part of the AttributeStatement attribute of the SAML assertion.
The SAMLAssertIssuerLoginModule has a single parameter that you set in the JAAS configuration.
Parameter | Description |
forceSaml Version | Optional. Defines which SAML assertion version to use to issue the delegation token. Valid values are 1.1 or 2.0 (default). |
The following sample excerpt outlines SAMLAssertIssuerLoginModule and the corresponding configuration included in a login context of a JAAS configuration file. First, InternalLoginModule authenticates the user. If the authentication is successful, SAMLAssertIssuerLoginModule issues a SAML 1.1 assertion to use as a delegation ticket.
/** Login Configuration for the SAMLAssertIssuerLoginModule. **/
SAMLIssuerRealm {
// Internal repository login module (java based)
com.softwareag.security.jaas.login.internal.InternalLoginModule required
template_section=INTERNAL
logCallback=true
internalRepository="C:/softwareag/common/conf/users.txt"
create_group_principal=true
groupRepositoryPath="C:/softwareag/common/conf/groups.txt";
// SSOS login module for SAML 1.1 signed assertion issuance
com.softwareag.security.idp.saml.lm.SAMLAssertIssuerLoginModule sufficient
forceSamlVersion="1.1";
};