pp108 : SAML 2.0 Variables

SAML 2.0 Variables
This topic describes the available Variables that can be used in a SAML 2.0 type Authenticator.

Resolving Variables

While configuring an Authenticator, you can use Variables. They can be added at Authenticator level, Organization level, and Shared level. The resolve algorithm for a variable searches for Authenticator specific variables first. If a variable is not found at the Authenticator level, then a search is done in the Organization level variables. If it is not found at both Authenticator level and Organization level, then it searches for the Shared level variables.

SAML Variables

The following variables can be specified.

Variable

Description

BASE_URL

This is a legacy variable. Define the public cluster URL instead.

ENTITY_ID

When registering a Service Provider at an IdP, the ENTITY_ID from the SAML 2 SP metadata is used as an identifier. If the ENTITY_ID is already used, the ENTITY_ID variable can be used to give the Authenticator a new ENTITY_ID. This ENTITY_ID will be used in the SAML 2 SP metadata.

IDP_RETURN_URL

When the variable is set, the Process Platform ACS will redirect to this URL after validating the POSTed SAML assertion from IDP. That is, after the user signs in to IDP, the browser is redirected to the URL as specified in this variable.
The IDP_RETURN_URL is used when the 'No Frame' option in FrameOptions is set. Process Platform IDP integration is SP and UserAgent based. All protocol redirects are done via the UserAgent. When the 'No Frame' option is used, the complete browser is redirected to IDP. The current browser context is completely lost in the browser. After the user has authenticated at the IDP the ID does a SAMLResponse POST to the Process Platform ACS. After validation the ACS redirects the browser back to the url configure in IDP_RETURN_URL.
IDP_RETURN_URL also can be used when you do not want to redirect to the cusp start page, but to another page, like an application XForm.
The value specified only needs to be the path after the domain, for example /home/myorg or /home/myorg/com/acme/app/myform.caf.

ACS_CLASS_HTTPPOST

With this variable, the ACS class that is used by default can be changed. If it is set, then the fully qualified class name is used as ACS in the SAMLRequest of the IdP, to where the IdP POST the SAML2 assertion.
To use this variable, create a new class which extends the com.eibus.sso.web.saml2.acs.service.HttpPost class. The custom ACS class can, for example, call a BPM which checks if the user already exists and creates one if needed.
BASE_URL checks

Before redirecting the user to the IdP, a SAMLRequest is generated. In the SAMLRequest, the BASE_URL is communicated. There are three checks that are done before the BASE_URL is used. These are between the configured BASE_URL and request URL as used by the user. The check are:

  • is the protocol same
  • is the domain same
  • is the port same

In some situations, like when using a proxy with SSL offloading, these checks block usage of the BASE_URL. Therefore, the following properties can be used to disable these checks. They can either be put in the wcp.properties or be specified as a JRE parameter on the Single Sign-On Service container. The properties are:

Property

Description

saml2.disable.baseurl.protocol.check

Disables the protocol check when using the BASE_URL value

saml2.disable.baseurl.domain.check

Disables the domain check when using the BASE_URL value

saml2.disable.baseurl.port.check

Disables the port check when using the BASE_URL value

Note: Default value for all the above checks is false; which means that all the checks are performed by default.