Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
A SAML External Identity Provider authenticates users and retrieves profile attributes using a SAML Identity Provider.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The SAML External Identity Provider component inherits from the External Identity Provider
The following components have a direct composition relation from SAML External Identity Providers:
The following components have a direct aggregation relation from SAML External Identity Providers:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ clock-skew-grace-period |
| ↓ enabled | |
| ↓ icon-uri | |
| ↓ hostname-verification-method | |
| ↓ key-manager-provider | |
| ↓ trust-manager-provider | |
| ↓ sso-url | |
| ↓ local-entity-id | |
| ↓ remote-entity-id | |
| ↓ signature-validation-certificate | |
| ↓ signing-key-pair | |
| ↓ signing-algorithm | |
| ↓ decryption-key-pair |
| Description | A description for this External Identity Provider |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the External Identity Provider is enabled. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The icon URI for this External Identity Provider. |
| Default Value | None |
| Allowed Values | An absolute URL with one of the following schemes: { http, https }, or a relative URL |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The mechanism for checking if the identity provider's hostname matches the name(s) stored inside the server's X.509 certificate. This is only applicable if SSL is being used for connection security. |
| Default Value | strict |
| Allowed Values | allow-all - This mechanism turns hostname verification off. strict - This mechanism works the same way as the Java Runtime Environment. It is also compliant with RFC 2818 for dealing with wildcards. The hostname must match any of the Subject Alternative Names or the first CN. A wildcard can occur in the CN, and in any of the Subject Alternative Names. A wildcard such as "*.foo.com" matches only subdomains in the same level, for example "a.foo.com". It does not match deeper subdomains such as "a.b.foo.com". |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The SAML External Identity Provider must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The key manager provider to use if SSL (HTTPS) is to be used for connection-level security. When specifying a value for this property (except when using the Null key manager provider) you must ensure that the external server trusts this server's public certificate by adding this server's public certificate to the external server's trust store. |
| Default Value | The Java Runtime Environment's default key manager will be used |
| Allowed Values | The DN of any Key Manager Provider. The associated key manager provider must exist and must be enabled if SSL is to be used. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The SAML External Identity Provider must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The trust manager provider to use if SSL (HTTPS) is to be used for connection-level security. |
| Default Value | The Java Runtime Environment's default trust manager will be used |
| Allowed Values | The DN of any Trust Manager Provider. The associated trust manager provider must exist and must be enabled if SSL is to be used. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The SAML External Identity Provider must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
| Description | The URL of the SAML Identity Provider Single Sign-On Service. |
| Default Value | None |
| Allowed Values | An absolute URL with one of the following schemes: { http, https } |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The local entity ID used to populate the issuer field of outgoing SAML messages. This value should be configured as the Service Provider Entity ID at the SAML Identity Provider. |
| Default Value | https://unboundid-broker |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The entity ID of the SAML Identity Provider. The remote entity ID value must match the issuer field of SAML messages received, and must also match the sourceID of SAML Artifacts received. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
signature-validation-certificate
| Description | One or more PEM-encoded trusted Identity Provider certificate used to validate incoming signed SAML messages and assertions. If this property is specified, then either the entire incoming message must be signed, or each contained assertion must be signed. The value of this property should be the PEM-encoded representation of the certificate used to validate incoming signed SAML messages and assertions, including the "-----BEGIN CERTIFICATE-----" header and the "-----END CERTIFICATE" footer. If the signature validation certificate needs to be updated, then it may be temporarily necessary for this property to have information about the old and new certificates. That can be accomplished by including information about both certificates in the same file, each with their own begin and end headers and footers. An attempt is made to validate the signature using each certificate until one of them is successful or they have all failed. Blank lines, and lines that start with the octothorpe character (#) will be ignored. |
| Default Value | There are no signature validation certificates, so incoming SAML messages and assertions are not required to be signed. |
| Allowed Values | application/x-x509-server-cert |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The key pair to use to sign outgoing SAML messages. The public key certificate from this key pair must be configured in the SAML Identity Provider. |
| Default Value | There is no signing key pair, so outgoing SAML messages are not signed. |
| Allowed Values | The DN of any Key Pair. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The signing algorithm to use when signing outgoing SAML messages. |
| Default Value | RSA-SHA512 |
| Allowed Values | RSA-SHA1 - RSA with SHA1. RSA-SHA256 - RSA with SHA256. RSA-SHA384 - RSA with SHA384. RSA-SHA512 - RSA with SHA512. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The key pairs to use to decipher encrypted elements in incoming SAML messages. The SAML Identity Provider must be configured to encrypt with one of the public keys from this set of keys. The private keys from these key pairs are used to decipher an encrypted key which the message sender used to encrypt the SAML element. |
| Default Value | There are no decryption key pairs, so incoming messages must not be encrypted. |
| Allowed Values | The DN of any Key Pair. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
clock-skew-grace-period (Advanced Property)
| Description | Specifies the amount of time to subtract from NotBefore conditions, or to add to NotOnOrAfter conditions, to allow for any time difference between this server's clock and the Identity Provider's clock. This setting can be adjusted to prevent spurious "not yet valid" and "no longer valid" errors. |
| Default Value | 5 s |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured External Identity Providers:
dsconfig list-external-identity-providers
[--property {propertyName}] ...
To view the configuration for an existing External Identity Provider:
dsconfig get-external-identity-provider-prop
--provider-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing External Identity Provider:
dsconfig set-external-identity-provider-prop
--provider-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new SAML External Identity Provider:
dsconfig create-external-identity-provider
--provider-name {name}
--type saml
--set enabled:{propertyValue}
--set sso-url:{propertyValue}
--set remote-entity-id:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing External Identity Provider:
dsconfig delete-external-identity-provider
--provider-name {name}