Configuring Profiles for SAML

System Administrator Functions : My webMethods Server Configuration : Configuring My webMethods Server Single Sign-On : Configuring Profiles for SAML

Under the Security Infrastructure (SIN), you can configure the security properties that are set during server startup. The configuration file com.softwareag.sso.pid.properties is located in the Software AG_directory /profiles/profile/configuration/com.softwareag.platform. config.propsloader directory.

The default configuration is:

com.softwareag.security.idp.keystore.keyalias=ssos
com.softwareag.security.idp.SSOassertion.lifeperiod=5
com.softwareag.security.idp.keystore.type=JKS
com.softwareag.security.idp.assertion.skew=30
com.softwareag.security.idp.truststore.location=/common/conf/
platform_truststore.jks
com.softwareag.security.idp.truststore.password=manage
com.softwareag.security.idp.keystore.location=/common/conf/keystore.jks
enabled=false
com.softwareag.security.idp.keystore.password=manage
com.softwareag.security.idp.truststore.keyalias=ssos
com.softwareag.security.idp.assertion.lifeperiod=300
com.softwareag.security.idp.truststore.type=JKS

Configuring truststores and keystores

The configuration allows you to specify the location of truststore and keystore files relative to the installation directory:

com.softwareag.security.idp.keystore.location=/common/conf/keystore.jks
com.softwareag.security.idp.truststore.location=/common/conf/
platform_truststore.jks

To use absolute paths for configuring truststore and keystore files, add these two properties to the configuration file:

com.softwareag.security.idp.keystore.location.isabsolute=true
com.softwareag.security.idp.truststore.location.isabsolute=true

Time Skew

If a SAML assertion is issued on one physical machine and validated on another, but the two machines are not synchronized with a time server, the validation phase may fail. By default, SIN allows a time skew of 30 seconds.

To modify the time skew value, use the following property:

com.softwareag.security.idp.assertion.skew=n

where n is the time in seconds.

Ehcache Configuration

SIN uses Ehcache to ensure that a single sign-on (SSO) assertion cannot be used more than one time. The default time to live of an SSO assertion in Ehcache is 120 seconds. The location of the Ehcache configuration file relative to the installation directory is defined in the SIN configuration file using this property:

com.softwareag.security.idp.ehcache.location=/ehcachesin.xml

To use an absolute path for location of the ehcachesin.xml file, add this property to the configuration file:

com.softwareag.security.idp.ehcache.location.isabsolute=true

To modify the time Ehcache time-to-live value, use the following property:

com.softwareag.security.idp.ehcache.ttl=n

where n is the time in seconds.

Contact Support | Community | Feedback