SAML Properties
- Tran Tang (Unlicensed)
- Patrick Lobre (Unlicensed)
- Eric McDonald (Unlicensed)
SAML Assertion
Overview
The saml.properties configuration file is used to modify configurable CONNECT functions and components. Note that all properties are pre-populated when CONNECT is deployed. Adopters can edit property values as needed but should avoid setting the value to null or deleting the property altogether.
Parameters table
The table below lists saml property settings and their usage in CONNECT. Included description of each property, usage and post update
| Property Name | Brief Description | Usage Detail |
|---|---|---|
| org.apache.ws.security.saml.issuerClass | The SAML Issuer implementation. | Pre-configured value: gov.hhs.fha.nhinc.saml.SAMLIssuerImpl |
| org.apache.ws.security.saml.issuer.cryptoProp.file | The crypto properties file corresponding to the issuer crypto instance, if the assertion is to be signed. | Pre-configured value: signature.properties |
| org.apache.ws.security.saml.issuer.sendKeyValue | Whether to send the key value or the X509Certificate. | Pre-configured value: true |
| org.apache.ws.security.saml.issuer.signAssertion | Whether the SAMLIssuer implementation will sign the assertion or not | Pre-configured value: true |
| org.apache.ws.security.saml.confirmationMethod | The following is for holder-of-key subject confirmation | Pre-configured value: keyHolder |
| org.apache.ws.security.saml.callback | The name of the SAML CallbackHandler implementation used to populate the SAML Assertion. | Pre-configured value: gov.hhs.fha.nhinc.callback.cxf.CXFSAMLCallbackHandler |
| org.apache.ws.security.saml.issuer.key.name | The KeyStore alias for the issuer key | |
| org.apache.ws.security.saml.issuer.key.password | The KeyStore password for the issuer key | |
| allowNoSubjectAssertion | Turn on validation for subject assertion (true or false) | Required: This property requires a value for proper/stable saml behavior. Acceptable values: true, false Pre-configured value: true System Usage: This property specifies whether to turn on validation for subject assertion are not. (true or false). "allowNoSubjectAssertion" is the new name for old property "relaxSAMLAssertion" in gateway.properties file. The evidence assertion in the SAML header requires a Subject attribute. CXF validates against that and correctly rejects any requests that does not have it. Older versions of CONNECT (metro) does not do this type of validation and have previously sent evidence assertion without the Subject attribute. As part of this fix, the gateway property name of relaxSAMLValidation has been changed to allowNoSubjectAssertion. CONNECTSamlAssertionValidator class gets the allowNoSubjectAssertion property value from gateway.properties file and is used to allow assertions with no subjects. This value is used while validating the assertion against schemas / profiles. This is required to relax the CXF validation so that it will be able to interoperate with previous CONNECT gateways / previous releases. |
| validateSAMLAttributes | Validates that SAML attributes are present when processed on responder side | Not required Acceptable values: true, false Pre-configured value: false (if not present) |
| enableConditionsDefaultValue | Boolean for adding the default values SAML Before and After Conditions. Default property value is true. Recommend only disabling for testing purposes, SAML conditions can cause validation errors if set incorrectly | this properties had been moved to saml.properties in 5.3 |
| saml.signatureAlgorithms | Supported Signature algorithms to be used for signing the requests | Not Required - Defaults to SHA 256 Acceptable Values: See org.opensaml.xmlsec.signature.support.SignatureConstants enumeration Pre-Configured Value: Commented Out See: Configuring Security Hash Algorithm (SHA) versions for more information. |
| saml.digestAlgorithms | Supported Digest algorithms to be used for signing the requests | Not Required Acceptable Values: See org.opensaml.xmlsec.signature.support.SignatureConstants enumeration Pre-Configured Value: Commented Out See: Configuring Security Hash Algorithm (SHA) versions for more information. |
| saml.defaultSignatureAlgorithm | Default signature algorithm to be used in SAML | Not Required Acceptable Values: See org.opensaml.xmlsec.signature.support.SignatureConstants enumeration. Must be valid value contained in the saml.signatureAlgorithms property. Pre-Configured Value: Commented Out See: Configuring Security Hash Algorithm (SHA) versions for more information. |
| saml.defaultDigestAlgorithm | Default digest algorithm to be used in SAML | Not Required Acceptable Values: See org.opensaml.xmlsec.signature.support.SignatureConstants enumeration. Must be valid value contained in the saml.digestAlgorithms property. Pre-Configured Value: Commented Out See: Configuring Security Hash Algorithm (SHA) versions for more information. |