SSO parameters

To authenticate users with SAML, iObeya needs to know the Identity Provider it should use and the features it supports. This information is provided in the IdP metadata.

Values:

Upload the IdP metadata file or set an URI limited to:

• http://  

• file:///

iObeya metadata.

Values:

Upload the iObeya metadata file, or generate it.

The entity ID of iObeya to be used for iObeya metadata generation, or to retrieve data from uploaded metadata.

Values

• For metadata generation, default value is the URL where iObeya metadata will be available, that is <SERVER_URL>/saml/metadata.

• For uploaded metadata, this can be empty or undefined, if there is only one entity ID in the metadata file.

Keystore file containing the necessary keys.

Values:

The keystore should be generated with Keytool which is part of the Java standard distribution.

Note:

• Use a Keytool version compatible with the JDK version used to deploy iObeya.

• See Technical requirements to know which JDK version you are using.

Here are examples of key generation and certificate extraction. Example usages of keytool:

• Generate key mycompany.com in keystore keystore.jks

  keytool -genkey -keystore keystore.jks -alias mycompany.com -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 1095

  Note:

  validity = period before expiration in days

• Extract X509 certificate from key mycompany.com in keystore keystore.jks

  keytool -export -keystore  keystore.jks -alias mycompany.com -file mycompany.com.cert –rfc

• Possibly reimport certificate signed by certification authority (should use the same alias as private key°

  keytool -import -keystore keystore.jks -alias mycompany.com -file mycompany.com.signed.cert

Password of the keystore itself.

Values:

Any string

Passwords for the keys in the keystore.

Values:

JSon formatted object, where keys are the key names and values are passwords as strings.

Example:

{"mycompany.com":"iobeya123",
"signing.mycompany.com":"iobeya456"}

Name of the default key to use when a specific key has not been defined for a particular task (signing, encryption, tls/ssl). Private and public keys must be present in the keystore at keystorePath.

Values:

The name of a key present in the keystore.

The name of the attribute that is returned by the Identity Provider to be used as an identifier to authenticate the user in iObeya. It will be mapped to the iobeyaAuthAttributeName property.

Values:

Any string.

Name of iObeya user attributes that should match the value of the attributes whose name is idpAuthAttributeName.

Values:

• email

• Username

If necessary, create an iObeya account when a user connects via SAML.

Values:

Boolean

Allows the choice of the logout action in iObeya.

Values:

• Local

  • When a user logs out from iObeya, she stays connected to the IdP, but is disconnected from iObeya.

• Global

  • When a user logs out from iObeya, the IdP will be asked to perform a single logout (IdP tries to contact all connected SPs to disconnect them).

• Custom

  • When a user logs out from iObeya, she is redirected to a custom URL, for example, the logout URL of the IdP.

Security profile for verification of message signatures.

Values:

• metaiop

  • SAMLv2 Metadata Interoperability Profile.

  • Uses cryptographic data from the metadata document of the entity in question. No checks for validity or revocation of certificates is done in this mode. All keys must be known in advance.

• pkix

  • Signatures are deemed as trusted when credentials can be verified using PKIX with trusted keys of the peer configured as trusted anchors.

Security profile for verification of SSL/TLS endpoint trust.

Values:

• Same as sslSecurity:

  • metaiop

  • pkix

Hostname verifier to use for verification of SSL connections

Values:

• default

  • org.apache.commons.ssl.HostnameVerifier.DEFAULT

• defaultAndLocalhost

  • org.apache.commons.ssl.HostnameVerifier.DEFAULT_AND_LOCALHOST

• strict

  • org.apache.commons.ssl.HostnameVerifier.STRICT

• allowAll

  • org.apache.commons.ssl.HostnameVerifier.ALLOW_ALL, does not perform any validation.

URI identifying the algorithm variant to use for signing. This will only be taken into account to select the hash function (sha256, sha512, …), given that the algorithm is already specified by the signing key (attributes defaultKey/signingKey ).

Values:

• The valid URIs are the OpenSAML supported subset of those in:

• XML Signature

• RFC 6931#section-2.3

• Typical values:

  • sha256

  • sha512

  • sha384

URI identifying the digest algorithm to be applied to the signed object.

Values:

• The valid URIs are the OpenSAML supported subset of those in:

• XML Signature 1.1

• RFC 6931#section-2.3

• Typical values:

  • sha256

  • sha512

  • sha384

Name of the key to use for signing.

Private and public keys must be present in the keystore at keystorePath.

Values:

The name of a key present in the keystore.

Name of the key to use for encrypting.

Private and public keys must be present in the keystore at keystorePath.

Values:

The name of a key present in the keystore.

Alias of private key used for SSL/TLS client authentication.

No client authentication is used when value is not specified.

Private and public keys must be present in the keystore at keystorePath.

Values:

The name of a key present in the keystore.

Keys included as trusted anchors during PKIX evaluation. Keys are only used with PKIX security profile.

Values:

Comma separated list of key names from the keystore (@keystorePath).

Maximum time of the authentication token. User needs to authenticate if this time is spent since the last connection.

Values:

Time in seconds the IdP configuration can override this configuration.

When true, include scoping (should be false when using Microsoft ADFS or Azure AD as IdP).

Values:

boolean

Enables support for the SAML 2.0 ECP profile.

Values:

boolean

Enables support for unsolicited responses (IdP-Initialized SSO).

Values:

boolean

When true, sign metadata (using XML Signature using certificate corresponding to signingKey).

Values:

boolean

When true, only accept signed logout requests from IdP.

Values:

boolean

When true, sign logout requests sent to IdP.

Values:

boolean

When true, require from IdP to sign logout responses.

Values:

boolean

When true, sign logout responses sent to IdP.

Values:

boolean