You can enable the following SAML tags in the Administration Console:
Property Name: SAML2_SEND_ACS_INDEX
Value: True
Set the value to true to send AssertionConsumerServiceIndex with AuthnRequest.
Property Name: SAML2_SEND_ACS_URL
Value: True
Set the value to true to send AssertionConsumerServiceURL with AuthnRequest.
Property Name: Extensions
Value: <samlp:Extensions><OnBehalfOf xmlns="https://idporten.difi.no/idporten-extensions">interaktor</OnBehalfOf></samlp:Extensions>
Access Manager acting as SAML 2.0 service provider, will now make an authentication request using SAML extensions.
To enable these, perform the following steps:
In the Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 2.0 > Identity Provider > Options.
Click New and specify Property Name and Value.
Enable or disable the following SAML Authentication Request tags by using the nidpconfig.properties file. These properties will be set at the NetIQ Access Manager Identity Server when it is configured as a SAML2 Service Providers. Restart or wait until Access Manager refreshes the nidpconfig.properties file.
Property Name |
Description |
---|---|
SAML2_AVOID_NAMEIDPOLICY |
If set to true, NameIDPolicy is not included as part of SAML 2.0 request. |
SAML2_AVOID_ISPASSIVE |
If set to true, IsPassive is not included as part of SAML 2.0 request. |
SAML2_AVOID_CONSENT |
If set to true, Consent is not included as part of SAML 2.0 request |
SAML2_AVOID_PROTOCOLBINDING |
If set to true, ProtocolBinding is not included as part of SAML 2.0 request |
SAML2_AVOID_PROXYCOUNT |
If set to true, ProxyCount is not included as part of SAML 2.0 request |
SAML2_SIGN_METHODDIGEST_SHA256 |
If set to true, assertion will use SHA256 algorithm as signing algorithm. |
SAML2_ATTRIBUTE_CONSUMING_INDEX |
The value is of format {SPProviderID}->{numeric value}. {SPProviderID} will be replaced by the actual provider id of this service provider. This will set the AttributeConsumingIndex of SAML 2.0 requests to the numeric value specified here. For example, https://nam.rtreyresearch.net:8443/nidp/saml2/metadata->2. |
SAML2_AVOID_SPNAMEQUALIFIER |
If set to true, SPNameQualifier is not included as part of SAML 2.0 request. |
SAML2_CHANGE_ISSUER |
The value is of format {SPProviderID}->{issuer name}. {SPProviderID} will be replaced by the actual provider ID of the service provider. This will set the issuer of SAML 2.0 requests to the issuer name specified here. For example, https://nam.rtreyresearch.net:8443/nidp/saml2/metadata->https://saml.mariagerfjord.dk:8443/nidp/saml2/metadata. |
The following sample xml file will be displayed when all the SAML tags are set to true and SAML2_CHANGE_ISSUER and SAML2_ATTRIBUTE_CONSUMING_INDEX tags are not set.
Example 7-1 Sample XML File
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="2" ForceAuthn="false" ID="id5R6u1JFtay7eK.il97Q3eRl34u8" IssueInstant="2013-01-18T06:11:26Z" Version="2.0"><saml:Issuer> ></samlp:AuthnRequest>
The following sample xml file will be displayed when all the SAML tags are set to false and SAML2_CHANGE_ISSUER and SAML2_ATTRIBUTE_CONSUMING_INDEX properties are set in nidpconfig.properties file.
Example 7-2 Sample XML File
samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="2"Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idoeZTKq7FOs5MsCigBBCwp30lqD0" IsPassive="false"IssueInstant="2013-01-23T05:25:32Z"ProtocolBindingProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0"><saml:Issuer> ><samlp:NameIDPolicyAllowCreate="true"Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"SPNameQualifier="https://nam.rtreyresearch.net:8443/nidp/saml2/metadata"/><samlp:Scoping ProxyCount="5"/></samlp:AuthnRequest>