Software AG Infrastructure 10.11 | Setting Up Security | Updating the Single Sign-On System for Your Product
 
Updating the Single Sign-On System for Your Product
The single sign-on (SSO) service issues and parses a signed SAML assertion that can be used as a single sign-on and delegation token. The default implementation uses the SAML 2 assertion issuance, however SAML 1.1 version is supported as well.
The bundles required for the SSO service are available within all Common Platform profiles. The SSO service requires a dynamic configuration properties file in order to work correctly. By default, your installation contains a com.softwareag.sso.pid.properties file in the Software AG_directory /profiles/profile_name/configuration/com.softwareag.platform.config.propsloader directory.
Important:
Software AG strongly recommends changing the default keystore and truststore files in a production environment.
The following table describes the parameters for dynamic configuration of the SSO service.
Parameter
Description
com.softwareag.security.idp.
keystore.location
Location of the keystore to use. Default is @path\:sag.install.area/common/conf/keystore.jks.
com.softwareag.security.idp.
keystore.password
Optional. Password for the keystore to use. Default is manage.
com.softwareag.security.idp.
keystore.type
Optional. Type of the keystore. Valid values are PKCS7, PKCS12, or JKS (default).
com.softwareag.security.idp.
keystore.keyalias
Optional. Key alias to use for signing. Used when issuing of SAML assertions is required. No default.
com.softwareag.security.idp.
keystore.keypassword
Optional. Key password for the private key if the key password is different from the keystore password. If no value is set, the SSO service uses the keystore password.
com.softwareag.security.idp.
truststore.location
Optional. Location of the truststore to use. Default is @path\:sag.install.area/common/conf/platform_truststore.jks.
com.softwareag.security.idp.
truststore.password
Required if com.softwareag.security.idp.truststore.location is specified. Truststore password. Default is manage.
com.softwareag.security.idp.
truststore.type
Required if com.softwareag.security.idp.truststore.location is specified. Type of the truststore. Valid values are PKCS7, PKCS12, or JKS (default).
com.softwareag.security.idp.
truststore.keyalias
Truststore key alias. No default. If no value is set, the SSO service checks all available certificates in the truststore. If a specific value is set, the SSO services checks only against the certificate with the specified alias in the truststore.
com.softwareag.security.idp.
assertion.lifeperiod
Optional. Time to live for the issued assertion (in seconds). Default is 300.
For a detailed explanation and examples, see Configuring the Assertion Validity Interval.
com.softwareag.security.idp.
SSOassertion.lifeperiod
Optional. Time to live for the issued SSO assertion (in seconds). Default is 5.
For a detailed explanation and examples, see Configuring the Assertion Validity Interval.
com.softwareag.security.idp.
cache.ttl
Optional. The time for which the issued assertion lives in the cache (in seconds). Default is 120.
com.softwareag.security.idp.
assertion.skew
Optional. The grace period in seconds that is added to the beginning and end of the assertion validity interval. You can use this parameter together with com.softwareag.security.idp.assertion.lifeperiod or com.softwareag.security.idp.SSOassertion.lifeperiod for generation and consumption of assertions. Default is 30.
For a detailed explanation and examples, see Configuring the Assertion Validity Interval.