Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save gkazior/706dec1b55fd8df572d8eae666609ecc to your computer and use it in GitHub Desktop.
Save gkazior/706dec1b55fd8df572d8eae666609ecc to your computer and use it in GitHub Desktop.
spring-boot-security-saml configuration options.

Configuration Properties

Configuring your Service Provider through configuration properties is pretty straight forward and most configurations could be accomplished this way. The two limitations that exists are: You can only configure what is exposed as properties, obviously, and you cannot provide specific implementations or instances of the different Spring Security SAML classes/interfaces. If you need to provide custom implementations of certain types or a more dynamic configuration you'll need to use the Java DSL approach for that configuration, but as expressed before, you can configure as much as you can through properties, while using the DSL configuration for any dynamic or custom implementations configuration. You can mix the two flavors.
The following table shows all the available properties (Parsed from Spring Configuration Metadata file).

Key Default Value Description
saml.sso.default-failure-url /error The URL which will be used as the failure destination.
saml.sso.default-success-url / Supplies the default target Url that will be used if no saved request is found in the session, or the alwaysUseDefaultTargetUrl property is set to true. If not set, defaults to /. It will be treated as relative to the web-app's context path, and should include the leading /. Alternatively, inclusion of a scheme name (such as "http://" or "https://") as the prefix will denote a fully-qualified URL and this is also supported.
saml.sso.discovery-processing-url /saml/discovery The URL that the {@link SAMLDiscovery} filter will be listening to.
saml.sso.enable-sso-hok true Whether to enable the {@link SAMLWebSSOHoKProcessingFilter} filter or not.
saml.sso.idp-selection-page-url /idpselection Sets path where request dispatcher will send user for IDP selection. In case it is null the default IDP will always be used.
saml.sso.sso-hok-processing-url /saml/HoKSSO The URL that the {@link SAMLWebSSOHoKProcessingFilter} will be listening to. Only relevant if {@code enableSsoHok} is true.
saml.sso.sso-login-url saml/login The URL that the {@link SAMLEntryPoint} filter will be listening to.
saml.sso.sso-processing-url /saml/SSO The URL that the {@link SAMLProcessingFilter} will be listening to.
saml.sso.authentication-provider.exclude-credential false By default principal in the returned Authentication object is the NameID included in the authenticated Assertion. The NameID is not serializable. Setting this value to true will force the NameID value to be a String.
saml.sso.authentication-provider.force-principal-as-string false When false (default) the resulting Authentication object will include instance of SAMLCredential as a credential value. The credential includes information related to the authentication process, received attributes and is required for Single Logout. In case your application doesn't require the credential, it is possible to exclude it from the Authentication object by setting this flag to true.
saml.sso.context-provider.lb.context-path null Context path of the LB, must be starting with slash, e.g. /saml-extension
saml.sso.context-provider.lb.enabled false whether to enable LB support, false by default, implicit when one of the LB options below is used
saml.sso.context-provider.lb.include-server-port-in-request-url null When true serverPort will be used in construction of LB requestURL
saml.sso.context-provider.lb.scheme null Scheme of the LB server - either http or https
saml.sso.context-provider.lb.server-name null Server name of the LB, e.g. www.myserver.com
saml.sso.context-provider.lb.server-port null Port of the server, in case value is <= 0 port will not be included in the requestURL and port from the original request will be used for getServerPort calls
saml.sso.extended-delegate.force-metadata-revocation-check false Determines whether check for certificate revocation should always be done as part of the PKIX validation. Revocation is evaluated by the underlaying JCE implementation and depending on configuration may include CRL and OCSP verification of the certificate in question. When set to false revocation is only performed when MetadataManager includes CRLs.
saml.sso.extended-delegate.metadata-require-signature false When set to true metadata from this provider should only be accepted when correctly signed and verified. Metadata with an invalid signature or signed by a not-trusted credential will be ignored.
saml.sso.extended-delegate.metadata-trust-check false When true metadata signature will be verified for trust using PKIX with metadataTrustedKeys as anchors.
saml.sso.extended-delegate.metadata-trusted-keys null Keys stored in the KeyManager which can be used to verify whether signature of the metadata is trusted. If not set any key stored in the keyManager is considered as trusted.
saml.sso.extended-delegate.require-valid-metadata false Sets whether the metadata returned by queries must be valid.
saml.sso.extended-metadata.alias null Local alias of the entity used for construction of well-known metadata address and determining target entity from incoming requests.
saml.sso.extended-metadata.ecp-enabled false Indicates whether Enhanced Client/Proxy profile should be used for requests which support it. Only valid for local entities.
saml.sso.extended-metadata.encryption-key null Key (stored in the local keystore) used for encryption/decryption of messages coming/sent from this entity. For local entities private key must be available, for remote entities only public key is required.
saml.sso.extended-metadata.idp-discovery-enabled false When true IDP discovery will be invoked before SSO. Only valid for local entities.
saml.sso.extended-metadata.idp-discovery-response-url null URL where the discovery service should send back response to our discovery request. Only valid for local entities.
saml.sso.extended-metadata.idp-discovery-url null URL of the IDP Discovery service user should be redirected to upon request to determine which IDP to use. Value can override settings in the local SP metadata. Only valid for local entities.
saml.sso.extended-metadata.key-info-generator-name null Name of generator for KeyInfo elements in metadata and signatures. At the moment only used for metadata signatures. Only valid for local entities.
saml.sso.extended-metadata.local false Setting of the value determines whether the entity is deployed locally (hosted on the current installation) or whether it's an entity deployed elsewhere. @deprecated As of version 1.10 setting this property has no effect. Instead use {@link ServiceProviderBuilder#extendedMetadata()} or {@link ServiceProviderBuilder#localExtendedMetadata()}
saml.sso.extended-metadata.require-artifact-resolve-signed true If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.
saml.sso.extended-metadata.require-logout-request-signed true SAML specification mandates that incoming LogoutRequests must be authenticated.
saml.sso.extended-metadata.require-logout-response-signed false Flag indicating whether incoming LogoutResponse messages must be authenticated.
saml.sso.extended-metadata.security-profile metaiop Profile used for trust verification, MetaIOP by default. Only relevant for local entities.
saml.sso.extended-metadata.sign-metadata false Flag indicating whether to sign metadata for this entity. Only valid for local entities.
saml.sso.extended-metadata.signing-algorithm null Algorithm used for creation of digital signatures of this entity. At the moment only used for metadata signatures. Only valid for local entities.
saml.sso.extended-metadata.signing-key null Key (stored in the local keystore) used for signing/verifying signature of messages sent/coming from this entity. For local entities private key must be available, for remote entities only public key is required.
saml.sso.extended-metadata.ssl-hostname-verification default Hostname verifier to use for verification of SSL connections, e.g. for ArtifactResolution.
saml.sso.extended-metadata.ssl-security-profile pkix Profile used for SSL/TLS trust verification, PKIX by default. Only relevant for local entities.
saml.sso.extended-metadata.support-unsolicited-response true Flag indicating whether to support unsolicited responses (IDP-initialized SSO). Only valid for remote entities.
saml.sso.extended-metadata.tls-key null Key used for verification of SSL/TLS connections. For local entities key is included in the generated metadata when specified. For remote entities key is used to for server authentication of SSL/TLS when specified and when MetaIOP security profile is used.
saml.sso.extended-metadata.trusted-keys null Keys used as anchors for trust verification when PKIX mode is enabled for the local entity. In case value is null all keys in the keyStore will be treated as trusted.
saml.sso.idp.local-metadata-location null Specify the location of the local SP_ metadata file to be loaded as {@link ResourceBackedMetadataProvider}
saml.sso.idp.metadata-location classpath:idp-metadata.xml Specify the location(s) of the metadata files to be loaded as {@link ResourceBackedMetadataProvider}
saml.sso.key-manager.default-key localhost The default key name to use for encryption.
saml.sso.key-manager.key-passwords null They KeyStore private key passwords by key name.
saml.sso.key-manager.private-key-der-location null Specify a DER private key location. Used in conjunction with publicKeyPemLocation.
saml.sso.key-manager.public-key-pem-location null Specify a PEM certificate location. Used in conjunction with privateKeyDerLocation.
saml.sso.key-manager.store-location null The location of KeyStore resource. If used, privateKeyDerLocation and privateKeyDerLocation are ignored.
saml.sso.key-manager.store-pass null The KeyStore password. Not relevant when using privateKeyDerLocation and privateKeyDerLocation.
saml.sso.local-extended-delegate.force-metadata-revocation-check false Determines whether check for certificate revocation should always be done as part of the PKIX validation. Revocation is evaluated by the underlaying JCE implementation and depending on configuration may include CRL and OCSP verification of the certificate in question. When set to false revocation is only performed when MetadataManager includes CRLs.
saml.sso.local-extended-delegate.metadata-require-signature false When set to true metadata from this provider should only be accepted when correctly signed and verified. Metadata with an invalid signature or signed by a not-trusted credential will be ignored.
saml.sso.local-extended-delegate.metadata-trust-check false When true metadata signature will be verified for trust using PKIX with metadataTrustedKeys as anchors.
saml.sso.local-extended-delegate.metadata-trusted-keys null Keys stored in the KeyManager which can be used to verify whether signature of the metadata is trusted. If not set any key stored in the keyManager is considered as trusted.
saml.sso.local-extended-delegate.require-valid-metadata false Sets whether the metadata returned by queries must be valid.
saml.sso.local-extended-metadata.alias null Local alias of the entity used for construction of well-known metadata address and determining target entity from incoming requests.
saml.sso.local-extended-metadata.ecp-enabled false Indicates whether Enhanced Client/Proxy profile should be used for requests which support it. Only valid for local entities.
saml.sso.local-extended-metadata.encryption-key null Key (stored in the local keystore) used for encryption/decryption of messages coming/sent from this entity. For local entities private key must be available, for remote entities only public key is required.
saml.sso.local-extended-metadata.idp-discovery-enabled false When true IDP discovery will be invoked before SSO. Only valid for local entities.
saml.sso.local-extended-metadata.idp-discovery-response-url null URL where the discovery service should send back response to our discovery request. Only valid for local entities.
saml.sso.local-extended-metadata.idp-discovery-url null URL of the IDP Discovery service user should be redirected to upon request to determine which IDP to use. Value can override settings in the local SP metadata. Only valid for local entities.
saml.sso.local-extended-metadata.key-info-generator-name null Name of generator for KeyInfo elements in metadata and signatures. At the moment only used for metadata signatures. Only valid for local entities.
saml.sso.local-extended-metadata.local false Setting of the value determines whether the entity is deployed locally (hosted on the current installation) or whether it's an entity deployed elsewhere. @deprecated As of version 1.10 setting this property has no effect. Instead use {@link ServiceProviderBuilder#extendedMetadata()} or {@link ServiceProviderBuilder#localExtendedMetadata()}
saml.sso.local-extended-metadata.require-artifact-resolve-signed true If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.
saml.sso.local-extended-metadata.require-logout-request-signed true SAML specification mandates that incoming LogoutRequests must be authenticated.
saml.sso.local-extended-metadata.require-logout-response-signed false Flag indicating whether incoming LogoutResponse messages must be authenticated.
saml.sso.local-extended-metadata.security-profile metaiop Profile used for trust verification, MetaIOP by default. Only relevant for local entities.
saml.sso.local-extended-metadata.sign-metadata false Flag indicating whether to sign metadata for this entity. Only valid for local entities.
saml.sso.local-extended-metadata.signing-algorithm null Algorithm used for creation of digital signatures of this entity. At the moment only used for metadata signatures. Only valid for local entities.
saml.sso.local-extended-metadata.signing-key null Key (stored in the local keystore) used for signing/verifying signature of messages sent/coming from this entity. For local entities private key must be available, for remote entities only public key is required.
saml.sso.local-extended-metadata.ssl-hostname-verification default Hostname verifier to use for verification of SSL connections, e.g. for ArtifactResolution.
saml.sso.local-extended-metadata.ssl-security-profile pkix Profile used for SSL/TLS trust verification, PKIX by default. Only relevant for local entities.
saml.sso.local-extended-metadata.support-unsolicited-response true Flag indicating whether to support unsolicited responses (IDP-initialized SSO). Only valid for remote entities.
saml.sso.local-extended-metadata.tls-key null Key used for verification of SSL/TLS connections. For local entities key is included in the generated metadata when specified. For remote entities key is used to for server authentication of SSL/TLS when specified and when MetaIOP security profile is used.
saml.sso.local-extended-metadata.trusted-keys null Keys used as anchors for trust verification when PKIX mode is enabled for the local entity. In case value is null all keys in the keyStore will be treated as trusted.
saml.sso.logout.clear-authentication true If true, removes the Authentication from the SecurityContext to prevent issues with concurrent requests.
saml.sso.logout.default-target-url / Supplies the default target Url that will be used if no saved request is found in the session, or the alwaysUseDefaultTargetUrl property is set to true. If not set, defaults to /. It will be treated as relative to the web-app's context path, and should include the leading /. Alternatively, inclusion of a scheme name (such as "http://" or "https://") as the prefix will denote a fully-qualified URL and this is also supported.
saml.sso.logout.invalidate-session false Causes the HttpSession to be invalidated when this LogoutHandler is invoked. Defaults to false.
saml.sso.logout.logout-url /saml/logout Sets the URL used to determine if the {@link SAMLLogoutFilter} is invoked.
saml.sso.logout.single-logout-url /saml/SingleLogout Sets the URL used to determine if the {@link SAMLLogoutProcessingFilter} is invoked.
saml.sso.metadata-generator.assertion-consumer-index 0 Generated assertion consumer service with the index equaling set value will be marked as default. Use negative value to skip the default attribute altogether.
saml.sso.metadata-generator.bindings-hok-sso null List of bindings to be included in the generated metadata for Web Single Sign-On Holder of Key. Ordering of bindings affects inclusion in the generated metadata. Supported values are: "artifact" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact") and "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"). By default there are no included bindings for the profile.
saml.sso.metadata-generator.bindings-slo null List of bindings to be included in the generated metadata for Single Logout. Ordering of bindings affects inclusion in the generated metadata. Supported values are: "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST") and "redirect" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"). The following bindings are included by default: "post", "redirect".
saml.sso.metadata-generator.bindings-sso null List of bindings to be included in the generated metadata for Web Single Sign-On. Ordering of bindings affects inclusion in the generated metadata. Supported values are: "artifact" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"), "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST") and "paos" (or "urn:oasis:names:tc:SAML:2.0:bindings:PAOS"). The following bindings are included by default: "artifact", "post".
saml.sso.metadata-generator.entity-base-url null This Service Provider's entity base URL. Provide if base URL cannot be inferred by using the hostname where the Service Provider will be running. I.E. if running on the cloud behind a load balancer.
saml.sso.metadata-generator.entity-id null This Service Provider's SAML Entity ID. Used as entity id for generated requests from this Service Provider.
saml.sso.metadata-generator.id null Local ID. Used as part of Entity Descriptor.
saml.sso.metadata-generator.include-discovery-extension true When true discovery profile extension metadata pointing to the default SAMLEntryPoint will be generated and stored in the generated metadata document.
saml.sso.metadata-generator.metadata-url /saml/metadata {@link MetadataDisplayFilter} processing URL. Defines which URL will display the Service Provider Metadata.
saml.sso.metadata-generator.name-id null NameIDs to be included in generated metadata.
saml.sso.metadata-generator.request-signed true Whether Authentication Requests should be signed by this Service Provider or not.
saml.sso.metadata-generator.want-assertion-signed true Whether incoming SAML assertions should be signed or not.
saml.sso.metadata-manager.default-idp null Sets name of IDP to be used as default.
saml.sso.metadata-manager.hosted-sp-name null Sets nameId of SP hosted on this machine. This can either be called from springContext or automatically during invocation of metadata generation filter.
saml.sso.metadata-manager.refresh-check-interval -1 Interval in milliseconds used for re-verification of metadata and their reload. Upon trigger each provider is asked to return it's metadata, which might trigger their reloading. In case metadata is reloaded the manager is notified and automatically refreshes all internal data by calling refreshMetadata.

In case the value is smaller than zero the timer is not created.

saml.sso.profile-options.allow-create null Flag indicating whether IDP can create new user based on the current authentication request. Null value will omit field from the request.
saml.sso.profile-options.allowed-idps null List of IDPs which are allowed to process the created AuthnRequest. IDP the request will be sent to is added automatically. In case value is null the allowedIdps will not be included in the Scoping element.

Property includeScoping must be enabled for this value to take any effect.

saml.sso.profile-options.assertion-consumer-index null When set determines assertionConsumerService and binding to which should IDP send response. By default service is determined automatically. Available indexes can be found in metadata of this service provider.
saml.sso.profile-options.authn-context-comparison null Comparison to use for WebSSO requests. No change for null values.
saml.sso.profile-options.authn-contexts null Enable different {@link org.opensaml.saml2.core.AuthnContext} to be sent and validated based on {@code authnContextComparison}.
saml.sso.profile-options.binding null Binding to be used for for sending SAML message to IDP.
saml.sso.profile-options.force-authn false Whether to always force Authentication when redirected to the IDP or to allow IDP-managed sessions (basically disables Single Sign On for the local entity).
saml.sso.profile-options.include-scoping true True if scoping element should be included in the requests sent to IDP.
saml.sso.profile-options.name-id null NameID to used or null to omit NameIDPolicy from request.
saml.sso.profile-options.passive false Whether the IdP should refrain from interacting with the user during the authentication process. Boolean values will be marshalled to either "true" or "false".
saml.sso.profile-options.provider-name null Human readable name of the local entity.
saml.sso.profile-options.proxy-count 2 Null to skip proxyCount, 0 to disable proxying, >0 to allow proxying
saml.sso.profile-options.relay-state null Relay state sent to the IDP as part of the authentication request. Value will be returned by IDP and made available in the SAMLCredential after successful authentication.
saml.sso.saml-processor.artifact true Disable/Enable HTTP Artifact Bindings.
saml.sso.saml-processor.paos true Disable/Enable PAOS Bindings.
saml.sso.saml-processor.post true Disable/Enable HTTP POST Bindings.
saml.sso.saml-processor.redirect true Disable/Enable HTTP Redirect Bindings.
saml.sso.saml-processor.soap true Disable/Enable SOAP Bindings.
saml.sso.tls.protocol-name https Name of protocol to register.
saml.sso.tls.protocol-port 443 Default port of protocol.
saml.sso.tls.ssl-hostname-verification default Hostname verifier to use for verification of SSL connections, e.g. for ArtifactResolution.
saml.sso.tls.trusted-keys null Keys used as anchors for trust verification when PKIX mode is enabled for the local entity. In case value is null all keys in the keyStore will be treated as trusted.

Same Properties but in properties format

#The URL which will be used as the failure destination.
saml.sso.default-failure-url=/error
#Supplies the default target Url that will be used if no saved request is found in the session, or the  alwaysUseDefaultTargetUrl property is set to true. If not set, defaults to /. It will be treated as relative to  the web-app's context path, and should include the leading /. Alternatively, inclusion of a scheme name (such as  "http://" or "https://") as the prefix will denote a fully-qualified URL and this is also supported.
saml.sso.default-success-url=/
#The URL that the {@link SAMLDiscovery} filter will be listening to.
saml.sso.discovery-processing-url=/saml/discovery
#Whether to enable the {@link SAMLWebSSOHoKProcessingFilter} filter or not.
saml.sso.enable-sso-hok=true
#Sets path where request dispatcher will send user for IDP selection. In case it is null the default IDP will  always be used.
saml.sso.idp-selection-page-url=/idpselection
#The URL that the {@link SAMLWebSSOHoKProcessingFilter} will be listening to. Only relevant if {@code  enableSsoHok} is true.
saml.sso.sso-hok-processing-url=/saml/HoKSSO
#The URL that the {@link SAMLEntryPoint} filter will be listening to.
saml.sso.sso-login-url=saml/login
#The URL that the {@link SAMLProcessingFilter} will be listening to.
saml.sso.sso-processing-url=/saml/SSO
#By default principal in the returned Authentication object is the NameID included in the authenticated  Assertion. The NameID is not serializable. Setting this value to true will force the NameID value to be a  String.
saml.sso.authentication-provider.exclude-credential=false
#When false (default) the resulting Authentication object will include instance of SAMLCredential as a  credential value. The credential includes information related to the authentication process, received  attributes and is required for Single Logout. In case your application doesn't require the credential, it is  possible to exclude it from the Authentication object by setting this flag to true.
saml.sso.authentication-provider.force-principal-as-string=false

#Context path of the LB, must be starting with slash, e.g. /saml-extension
saml.sso.context-provider.lb.context-path
#whether to enable LB support, false by default, implicit when one of the LB options below is used.
saml.sso.context-provider.lb.enabled
#When true serverPort will be used in construction of LB requestURL
saml.sso.context-provider.lb.include-server-port-in-request-url
#Scheme of the LB server - either http or https
saml.sso.context-provider.lb.scheme
#Server name of the LB, e.g. www.myserver.com
saml.sso.context-provider.lb.server-name
#Port of the server, in case value is > 0 port will not be included in the requestURL and port  from the original request will be used for getServerPort calls
saml.sso.context-provider.lb.server-port


#Determines whether check for certificate revocation should always be done as part of the PKIX validation.  Revocation is evaluated by the underlaying JCE implementation and depending on configuration may include CRL  and OCSP verification of the certificate in question. When set to false revocation is only performed when  MetadataManager includes CRLs.
saml.sso.extended-delegate.force-metadata-revocation-check=false
#When set to true metadata from this provider should only be accepted when correctly signed and verified.  Metadata with an invalid signature or signed by a not-trusted credential will be ignored.
saml.sso.extended-delegate.metadata-require-signature=false
#When true metadata signature will be verified for trust using PKIX with metadataTrustedKeys  as anchors.
saml.sso.extended-delegate.metadata-trust-check=false
#Keys stored in the KeyManager which can be used to verify whether signature of the metadata is trusted.  If not set any key stored in the keyManager is considered as trusted.
saml.sso.extended-delegate.metadata-trusted-keys=null
#Sets whether the metadata returned by queries must be valid.
saml.sso.extended-delegate.require-valid-metadata=false
#Local alias of the entity used for construction of well-known metadata address and determining target  entity from incoming requests.
saml.sso.extended-metadata.alias=null
#Indicates whether Enhanced Client/Proxy profile should be used for requests which support it. Only valid for  local entities.
saml.sso.extended-metadata.ecp-enabled=false
#Key (stored in the local keystore) used for encryption/decryption of messages coming/sent from this entity. For  local entities  private key must be available, for remote entities only public key is required.
saml.sso.extended-metadata.encryption-key=null
#When true IDP discovery will be invoked before SSO. Only valid for local entities.
saml.sso.extended-metadata.idp-discovery-enabled=false
#URL where the discovery service should send back response to our discovery request. Only valid for local  entities.
saml.sso.extended-metadata.idp-discovery-response-url=null
#URL of the IDP Discovery service user should be redirected to upon request to determine which IDP to use.  Value can override settings in the local SP metadata. Only valid for local entities.
saml.sso.extended-metadata.idp-discovery-url=null
#Name of generator for KeyInfo elements in metadata and signatures. At the moment only used for metadata  signatures.  Only valid for local entities.
saml.sso.extended-metadata.key-info-generator-name=null
#Setting of the value determines whether the entity is deployed locally (hosted on the current installation) or  whether it's an entity deployed elsewhere.
saml.sso.extended-metadata.local=false
#If true received artifactResolve messages will require a signature, sent artifactResolve will be signed.
saml.sso.extended-metadata.require-artifact-resolve-signed=true
#SAML specification mandates that incoming LogoutRequests must be authenticated.
saml.sso.extended-metadata.require-logout-request-signed=true
#Flag indicating whether incoming LogoutResposne messages must be authenticated.
saml.sso.extended-metadata.require-logout-response-signed=false
#Profile used for trust verification, MetaIOP by default. Only relevant for local entities.
saml.sso.extended-metadata.security-profile=metaiop
#Flag indicating whether to sign metadata for this entity. Only valid for local entities.
saml.sso.extended-metadata.sign-metadata=false
#Algorithm used for creation of digital signatures of this entity. At the moment only used for metadata  signatures.  Only valid for local entities.
saml.sso.extended-metadata.signing-algorithm=null
#Key (stored in the local keystore) used for signing/verifying signature of messages sent/coming from this  entity. For local entities private key must be available, for remote entities only public key is required.
saml.sso.extended-metadata.signing-key=null
#Hostname verifier to use for verification of SSL connections, e.g. for ArtifactResolution.
saml.sso.extended-metadata.ssl-hostname-verification=default
#Profile used for SSL/TLS trust verification, PKIX by default. Only relevant for local entities.
saml.sso.extended-metadata.ssl-security-profile=pkix
#Flag indicating whether to support unsolicited responses (IDP-initialized SSO). Only valid for remote  entities.
saml.sso.extended-metadata.support-unsolicited-response=true
#Key used for verification of SSL/TLS connections. For local entities key is included in the generated metadata  when specified.  For remote entities key is used to for server authentication of SSL/TLS when specified and when MetaIOP security  profile is used.
saml.sso.extended-metadata.tls-key=null
#Keys used as anchors for trust verification when PKIX mode is enabled for the local entity. In case value is  null  all keys in the keyStore will be treated as trusted.
saml.sso.extended-metadata.trusted-keys=null
#Specify the location(s) of the metadata files to be loaded as {@link ResourceBackedMetadataProvider}
saml.sso.idp.metadata-location=classpath:idp-metadata.xml
#The default key name to use for encryption.
saml.sso.key-manager.default-key=localhost
#They KeyStore private key passwords by key name.
saml.sso.key-manager.key-passwords=null
#Specify a DER private key location. Used in conjunction with publicKeyPemLocation.
saml.sso.key-manager.private-key-der-location=null
#Specify a PEM certificate location. Used in conjunction with privateKeyDerLocation.
saml.sso.key-manager.public-key-pem-location=null
#The location of KeyStore resource. If used, privateKeyDerLocation and privateKeyDerLocation are ignored.
saml.sso.key-manager.store-location=null
#The KeyStore password. Not relevant when using privateKeyDerLocation and privateKeyDerLocation.
saml.sso.key-manager.store-pass=null
#If true, removes the Authentication from the SecurityContext to prevent issues with concurrent requests.
saml.sso.logout.clear-authentication=true
#Supplies the default target Url that will be used if no saved request is found in the session, or the  alwaysUseDefaultTargetUrl property is set to true. If not set, defaults to /. It will be treated as relative  to the web-app's context path, and should include the leading /. Alternatively, inclusion of a scheme name  (such as "http://" or "https://") as the prefix will denote a fully-qualified URL and this is also  supported.
saml.sso.logout.default-target-url=/
#Causes the HttpSession to be invalidated when this LogoutHandler is invoked. Defaults to true.
saml.sso.logout.invalidate-session=false
#Sets the URL used to determine if the {@link SAMLLogoutFilter} is invoked.
saml.sso.logout.logout-url=/saml/logout
#Sets the URL used to determine if the {@link SAMLLogoutProcessingFilter} is invoked.
saml.sso.logout.single-logout-url=saml/SingleLogout
#Generated assertion consumer service with the index equaling set value will be marked as default. Use  negative value to skip the default attribute altogether.
saml.sso.metadata-generator.assertion-consumer-index=0
#List of bindings to be included in the generated metadata for Web Single Sign-On Holder of Key. Ordering of  bindings affects inclusion in the generated metadata. Supported values are: "artifact" (or  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact") and "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST").  By default there are no included bindings for the profile.
saml.sso.metadata-generator.bindings-hok-sso=null
#List of bindings to be included in the generated metadata for Single Logout. Ordering of bindings affects  inclusion in the generated metadata. Supported values are: "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")  and "redirect" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"). The following bindings are  included  by default: "post", "redirect".
saml.sso.metadata-generator.bindings-slo=null
#List of bindings to be included in the generated metadata for Web Single Sign-On. Ordering of bindings  affects inclusion in the generated metadata. Supported values are: "artifact" (or  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"), "post" (or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")  and "paos" (or "urn:oasis:names:tc:SAML:2.0:bindings:PAOS"). The following bindings are included by default:  "artifact", "post".
saml.sso.metadata-generator.bindings-sso=null
#This Service Provider's entity base URL. Provide if base URL cannot be inferred by using the hostname where  the Service Provider will be running. I.E. if running on the cloud behind a load balancer.
saml.sso.metadata-generator.entity-base-url=null
#This Service Provider's SAML Entity ID. Used as entity id for generated requests from this Service Provider.
saml.sso.metadata-generator.entity-id=null
#Local ID. Used as part of Entity Descriptor.
saml.sso.metadata-generator.id=null
#When true discovery profile extension metadata pointing to the default SAMLEntryPoint will be generated and  stored in the generated metadata document.
saml.sso.metadata-generator.include-discovery-extension=true
#{@link MetadataDisplayFilter} processing URL. Defines which URL will display the Service Provider Metadata.
saml.sso.metadata-generator.metadata-url=/saml/metadata
#NameIDs to be included in generated metadata.
saml.sso.metadata-generator.name-id=null
#Whether Authentication Requests should be signed by this Service Provider or not.
saml.sso.metadata-generator.request-signed=true
#Whether incoming SAML assertions should be signed or not.
saml.sso.metadata-generator.want-assertion-signed=true
#Sets name of IDP to be used as default.
saml.sso.metadata-manager.default-idp=null
#Sets nameID of SP hosted on this machine. This can either be called from springContext or automatically  during invocation of metadata generation filter.
saml.sso.metadata-manager.hosted-sp-name=null
#Interval in milliseconds used for re-verification of metadata and their reload. Upon trigger each provider  is asked to return it's metadata, which might trigger their reloading. In case metadata is reloaded the  manager is notified and automatically refreshes all internal data by calling refreshMetadata.  <p>  In case the value is smaller than zero the timer is not created.  </p>
saml.sso.metadata-manager.refresh-check-interval=-1
#Flag indicating whether IDP can create new user based on the current authentication request. Null value will  omit field from the request.
saml.sso.profile-options.allow-create=null
#List of IDPs which are allowed to process the created AuthnRequest. IDP the request will be sent to is added  automatically. In case value is null the allowedIDPs will not be included in the Scoping element.  <p>  Property includeScoping must be enabled for this value to take any effect.  </p>
saml.sso.profile-options.allowed-idps=null
#When set determines assertionConsumerService and binding to which should IDP send response. By default  service is determined automatically. Available indexes can be found in metadata of this service provider.
saml.sso.profile-options.assertion-consumer-index=null
#Comparison to use for WebSSO requests. No change for null values.
saml.sso.profile-options.authn-context-comparison=null
#Enable different {@link org.opensaml.saml2.core.AuthnContext} to be sent and validated based on {@code authnContextComparison}.
saml.sso.profile-options.authn-contexts=null
#Binding to be used for for sending SAML message to IDP.
saml.sso.profile-options.binding=null
#Whether to always force Authentication when redirected to the IDP or to allow IDP-managed sessions (basically disables Single Sign On for the local entity).
saml.sso.profile-options.force-authn=false
#True if scoping element should be included in the requests sent to IDP.
saml.sso.profile-options.include-scoping=true
#NameID to used or null to omit NameIDPolicy from request.
saml.sso.profile-options.name-id=null
#Whether the IdP should refrain from interacting with the user during the authentication process. Boolean  values will be marshalled to either "true" or "false".
saml.sso.profile-options.passive=false
#Human readable name of the local entity.
saml.sso.profile-options.provider-name=null
#Null to skip proxyCount, 0 to disable proxying, &gt;0 to allow proxying
saml.sso.profile-options.proxy-count=2
#Relay state sent to the IDP as part of the authentication request. Value will be returned by IDP and made available  in the SAMLCredential after successful authentication.
saml.sso.profile-options.relay-state=null
#Disable/Enable HTTP Artifact Bindings.
saml.sso.saml-processor.artifact=true
#Disable/Enable PAOS Bindings.
saml.sso.saml-processor.paos=true
#Disable/Enable HTTP POST Bindings.
saml.sso.saml-processor.post=true
#Disable/Enable HTTP Redirect Bindings.
saml.sso.saml-processor.redirect=true
#Disable/Enable SOAP Bindings.
saml.sso.saml-processor.soap=true
#Name of protocol to register.
saml.sso.tls.protocol-name=https
#Default port of protocol.
saml.sso.tls.protocol-port=443
#Hostname verifier to use for verification of SSL connections, e.g. for ArtifactResolution.
saml.sso.tls.ssl-hostname-verification=default
#Keys used as anchors for trust verification when PKIX mode is enabled for the local entity. In case value is  null all keys in the keyStore will be treated as trusted.
saml.sso.tls.trusted-keys=null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment