You can enable the following SAML tags in the Administration Console:
Property Name: SAML2_SEND_ACS_INDEX
Value: True
Set the value to true to send AssertionConsumerServiceIndex with AuthnRequest.
Property Name: SAML2_SEND_ACS_URL
Value: True
Set the value to true to send AssertionConsumerServiceURL with AuthnRequest.
Property Name: Extensions
Value: <samlp:Extensions><OnBehalfOf xmlns="https://idporten.difi.no/idporten-extensions">interaktor</OnBehalfOf></samlp:Extensions>
After setting this value, Access Manager acting as a SAML 2.0 service provider makes an OnBehalfOf authentication request by using SAML extensions.
Property Name: SAML_ASSERTION_INCLUDE_MILLISECS
Property Value: true
Set the value to true to get SAML responses or requests including the timestamp with millisecond in IssueInstant.
Property Name: SAML2_NAMEID_ATTRIBUTE_NAME
Property Value: ldapAttribute name
Set the ldapattribute name to send the SAML response with the LDAP attribute value in nameidentifier.
Property Name: SAML2_AVOID_AUDIENCE_RESTRICTION
Property Value: True/False
Set the value to true to avoid sending the audience restriction information with assertion.
To enable these, perform the following steps:
In the Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 2.0.
Based on whether the tag is for a service provider or an identity provider, select Service Provider or Identity Provider and then select Options.
Click New and specify Property Name and Value.
Enable or disable the following SAML Authentication Request tags by using the nidpconfig.properties file. These properties will be set at the NetIQ Access Manager Identity Server when it is configured as a SAML 2.0 service provider. Restart or wait until Access Manager refreshes the nidpconfig.properties file.
Property Name |
Description |
---|---|
SAML2_AVOID_NAMEIDPOLICY |
If set to true, NameIDPolicy is not included as part of SAML 2.0 request. |
SAML2_AVOID_ISPASSIVE |
If set to true, IsPassive is not included as part of SAML 2.0 request. |
SAML2_AVOID_CONSENT |
If set to true, Consent is not included as part of SAML 2.0 request |
SAML2_AVOID_PROTOCOLBINDING |
If set to true, ProtocolBinding is not included as part of SAML 2.0 request |
SAML2_AVOID_PROXYCOUNT |
If set to true, ProxyCount is not included as part of SAML 2.0 request |
SAML2_SIGN_METHODDIGEST_SHA256 |
If set to true, assertion will use SHA256 algorithm as signing algorithm. |
SAML2_ATTRIBUTE_CONSUMING_INDEX |
The value is of format {SPProviderID}->{numeric value}. {SPProviderID} will be replaced by the actual provider id of this service provider. This will set the AttributeConsumingIndex of SAML 2.0 requests to the numeric value specified here. For example, https://nam.rtreyresearch.net:8443/nidp/saml2/metadata->2. |
SAML2_AVOID_SPNAMEQUALIFIER |
If set to true, SPNameQualifier is not included as part of SAML 2.0 request. |
SAML2_CHANGE_ISSUER |
The value is of format {SPProviderID}->{issuer name}. {SPProviderID} will be replaced by the actual provider ID of the service provider. This will set the issuer of SAML 2.0 requests to the issuer name specified here. For example, https://nam.rtreyresearch.net:8443/nidp/saml2/metadata->https://saml.mariagerfjord.dk:8443/nidp/saml2/metadata. |
SAML2_AVOID_SPNAMEQUALIFIER_TO |
Set the value to true to send SPNAMEQUALIFIER in NAMEIDENTIFER with assertion. You can set this key in the nidpconfig.properties file in the following format: https://<host>:<port>/nidp/saml2/metadata ->true,https://<host>:<port>/nidp/saml2/metadata/spnameidentifier ->false,https://<host>:<port>/nidp/saml2/metadata/spnameidentifier ->true |
The following sample xml file will be displayed when all the SAML tags are set to true and SAML2_CHANGE_ISSUER and SAML2_ATTRIBUTE_CONSUMING_INDEX tags are not set.
Example 7-1 Sample XML File
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="2" ForceAuthn="false" ID="id5R6u1JFtay7eK.il97Q3eRl34u8" IssueInstant="2013-01-18T06:11:26Z" Version="2.0"><saml:Issuer> ></samlp:AuthnRequest>
The following sample xml file will be displayed when all the SAML tags are set to false and SAML2_CHANGE_ISSUER and SAML2_ATTRIBUTE_CONSUMING_INDEX properties are set in nidpconfig.properties file.
Example 7-2 Sample XML File
samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceIndex="0" AttributeConsumingServiceIndex="2"Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idoeZTKq7FOs5MsCigBBCwp30lqD0" IsPassive="false"IssueInstant="2013-01-23T05:25:32Z"ProtocolBindingProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0"><saml:Issuer> ><samlp:NameIDPolicyAllowCreate="true"Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"SPNameQualifier="https://nam.rtreyresearch.net:8443/nidp/saml2/metadata"/><samlp:Scoping ProxyCount="5"/></samlp:AuthnRequest>