SAML 2.0 Variables |
|
Resolving Variables
While configuring an Authenticator, you can use Variables. They can be added at Authenticator level, Organization level, and Shared level. The resolve algorithm for a variable searches for Authenticator specific variables first. If a variable is not found at the Authenticator level, then a search is done in the Organization level variables. If it is not found at both Authenticator level and Organization level, then it searches for the Shared level variables.
SAML Variables
The following Variables can be specified.
Variable |
Description |
|---|---|
BASE_URL |
The real server name of the Process Platform instance is different from the name which is used to access the server. For example, the internal server name of a Process Platform instance can be srv-nl-sso1, but when accessing the server via the browser, the name www.acme.com is used. When BASE_URL is not specified the security framework will use the internal server name srv-nl-sso1 in SAML 2 SP metadata of Cor. The metadata contains the complete URL of the Process Platform ACS (Assertion Consumer Service). After the user signs in to the IdP, the IdP will POST the SAML assertions to ACS. The url present in the SAML 2 SP metadata is used by the IdP. In the described situation, the BASE_URL can be set to 'http://www.acme.com', which includes the protocol, complete domain name, and the port number of the server. |
ENTITY_ID |
When registering a Service Provider at an IdP, the ENTITY_ID from the SAML 2 SP metadata is used as an identifier. If the ENTITY_ID is already used, the ENTITY_ID variable can be used to give the Authenticator a new ENTITY_ID. This ENTITY_ID will be used in the SAML 2 SP metadata. |
IDP_RETURN_URL |
When the variable is set, the Process Platform ACS will redirect to this URL after validating the POSTed SAML assertion from IDP. That is, after the user signs in to IDP, the browser is redirected to the URL as specified in this variable. |
ACS_CLASS_HTTPPOST |
With this variable, the ACS class that is used by default can be changed. If it is set, then the fully qualified class name is used as ACS in the SAMLRequest of the IdP, to where the IdP POST the SAML2 assertion. |
BASE_URL checks
Before redirecting the user to the IdP, a SAMLRequest is generated. In the SAMLRequest, the BASE_URL is communicated. There are three checks that are done before the BASE_URL is used. These are between the configured BASE_URL and request URL as used by the user. The check are:
- is the protocol same
- is the domain same
- is the port same
In some situations, like when using a proxy with SSL offloading, these checks block usage of the BASE_URL. Therefore, the following properties can be used to disable these checks. They can either be put in the wcp.properties or be specified as a JRE parameter on the Single Sign-On Service container. The properties are:
Property |
Description |
|---|---|
saml2.disable.baseurl.protocol.check |
Disables the protocol check when using the BASE_URL value |
saml2.disable.baseurl.domain.check |
Disables the domain check when using the BASE_URL value |
saml2.disable.baseurl.port.check |
Disables the port check when using the BASE_URL value |
Note: Default value for all the above checks is false; which means that all the checks are performed by default.