7.17 Enabling or Disabling SAML Tags

You can enable the following SAML tags in the Administration Console:

  • Property Name: SAML2_SEND_ACS_INDEX

    Value: True

    Set the value to true to send AssertionConsumerServiceIndex with AuthnRequest.

  • Property Name: SAML2_SEND_ACS_URL

    Value: True

    Set the value to true to send AssertionConsumerServiceURL with AuthnRequest.

  • Property Name: Extensions

    Value: <samlp:Extensions><OnBehalfOf xmlns="https://idporten.difi.no/idporten-extensions">interaktor</OnBehalfOf></samlp:Extensions>

    Access Manager acting as SAML 2.0 service provider, will now make an authentication request using SAML extensions.

To enable these, perform the following steps:

  1. In the Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 2.0 > Identity Provider > Options.

  2. Click New and specify Property Name and Value.

Enable or disable the following SAML Authentication Request tags by using the nidpconfig.properties file. These properties will be set at the NetIQ Access Manager Identity Server when it is configured as a SAML2 Service Providers. Restart or wait until Access Manager refreshes the nidpconfig.properties file.

Property Name

Description

SAML2_AVOID_NAMEIDPOLICY

If set to true, NameIDPolicy is not included as part of SAML 2.0 request.

SAML2_AVOID_ISPASSIVE

If set to true, IsPassive is not included as part of SAML 2.0 request.

SAML2_AVOID_CONSENT

If set to true, Consent is not included as part of SAML 2.0 request

SAML2_AVOID_PROTOCOLBINDING

If set to true, ProtocolBinding is not included as part of SAML 2.0 request

SAML2_AVOID_PROXYCOUNT

If set to true, ProxyCount is not included as part of SAML 2.0 request

SAML2_SIGN_METHODDIGEST_SHA256

If set to true, assertion will use SHA256 algorithm as signing algorithm.

SAML2_ATTRIBUTE_CONSUMING_INDEX

The value is of format {SPProviderID}->{numeric value}. {SPProviderID} will be replaced by the actual provider id of this service provider. This will set the AttributeConsumingIndex of SAML 2.0 requests to the numeric value specified here.

For example, https://nam.rtreyresearch.net:8443/nidp/saml2/metadata->2.

SAML2_AVOID_SPNAMEQUALIFIER

If set to true, SPNameQualifier is not included as part of SAML 2.0 request.

SAML2_CHANGE_ISSUER

The value is of format {SPProviderID}->{issuer name}. {SPProviderID} will be replaced by the actual provider ID of the service provider. This will set the issuer of SAML 2.0 requests to the issuer name specified here.

For example, https://nam.rtreyresearch.net:8443/nidp/saml2/metadata->https://saml.mariagerfjord.dk:8443/nidp/saml2/metadata.

The following sample xml file will be displayed when all the SAML tags are set to true and SAML2_CHANGE_ISSUER and SAML2_ATTRIBUTE_CONSUMING_INDEX tags are not set.

Example 7-1 Sample XML File

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="2" ForceAuthn="false" ID="id5R6u1JFtay7eK.il97Q3eRl34u8" IssueInstant="2013-01-18T06:11:26Z" Version="2.0"><saml:Issuer> ></samlp:AuthnRequest>

The following sample xml file will be displayed when all the SAML tags are set to false and SAML2_CHANGE_ISSUER and SAML2_ATTRIBUTE_CONSUMING_INDEX properties are set in nidpconfig.properties file.

Example 7-2 Sample XML File

samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="2"Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idoeZTKq7FOs5MsCigBBCwp30lqD0" IsPassive="false"IssueInstant="2013-01-23T05:25:32Z"ProtocolBindingProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0"><saml:Issuer> ><samlp:NameIDPolicyAllowCreate="true"Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"SPNameQualifier="https://nam.rtreyresearch.net:8443/nidp/saml2/metadata"/><samlp:Scoping ProxyCount="5"/></samlp:AuthnRequest>