IdPSAML2SSOProfileConfig
Relying Party SAML 2 SSO Profile Configuration
This profile configuration enables and configures the SAML 2 SSO profile.
Basic Configuration
This profile is configured by adding the <ProfileConfiguration xsi:type="saml:SAML2SSOProfile" /> element to a RelyingParty definition. This element supports the following basic attributes:
- includeAttributeStatement - (optional) a boolean flag indicating whether to include an attribute statement in addition to the authentication statement, defaults to true
Example SAML2 SSO Profile Configuration
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile" />
Example SAML2 SSO Profile Configuration Overriding some Defaults
<ProfileConfiguration xsi:type="saml:SAML2SSOProfile"
signAssertions="always"
includeAttributeStatement="true"/>
Advanced Configuration
The SAML2 SSO profile configuration supports the following advanced configuration attributes:
- outboundArtifactType - Default artifact type used when sending responses via artifact, defaults to 4
- maximumSPSessionLifetime - maximum amount of time, given as an XML duration, the service provider should maintain a session for the user
- assertionLifetime - The lifetime, given as an XML duration, for issued assertions, defaults to PT5M (5 minutes)
- assertionProxyCount - A non-negative integer used to populate the
Countattribute in the assertion'sProxyRestrictionelement, defaults to 0 - includeConditionsNotBefore - (V2.4.0+) Include a
NotBeforetimestamp in the assertions' validity conditions, defaults to true - skipEndpointValidationWhenSigned - (V2.4.0+) Allows the IdP to skip the requirement for response endpoints to be registered in SP metadata if the SAML request is signed by the SP, defaults to false
- signResponses - see Configuring XML Signature and Encryption
- signAssertions - see Configuring XML Signature and Encryption
- signRequests - see Configuring XML Signature and Encryption
- encryptAssertions - see Configuring XML Signature and Encryption
- encryptNameIds - see Configuring XML Signature and Encryption
In addition, the SAML 2 SSO profile configuration element supports two child elements.
<Audience>, whose content is used to populate the<Audience>elements of <AudienceRestriction> element. This element may appear any number of times, one for each audience.<ProxyAudience>, whose content is used to populate theAudienceelements of the<ProxyRestriction>condition element. This element may appear any number of times, one for each audience.