Configuration settings for SAML authenticated connections | HCL Digital Experience

To enable a connection policy for SAML-based authentication, the following settings must be defined in the metadata section of the policy, the policy mapping, or the default mapping.

SSO_SAML20_IDP

The unique name of the Identity Provider, for example, IdpName. This metadata enables the policy for SAML-based authentication and is used to locate the Identity Provider settings. This metadata is required to support SAML-based authentication. Refer to the following example:

<meta-data>
	<name>SSO_SAML20_IDP</name>
	<value>IdpName</value>
</meta-data>

Important: For the remaining settings, IdpName refers to the name of the Identity Provider that you specified in the SSO_SAML20_IDP setting.

IdpName.IDP_HOST

The host name or IP address of the identity provider. This setting is required. Refer to the following example:

<meta-data>
	<name>IdpName.IDP_HOST</name>
	<value>www.mytfim.org</value>
</meta-data>

IdpName.IDP_PROTOCOL

This setting defines how the Identity Provider is connected and has two possible values, either http or https. Refer to the following example:

<meta-data>
	<name>IdpName.IDP_PROTOCOL</name>
	<value>https</value>
</meta-data>

IdpName.IDP_PORT

This setting defines the TCP port that is used for the Identity Provider connection. The default value is 80. Refer to the following example:

<meta-data>
	<name>IdpName.IDP_PORT</name>
	<value>9443</value>
</meta-data>

IdpName.IDP_URI

The URI of the Identity Provider service to which the SAML authentication is submitted. If this metadata setting is not defined, the connection uses the default URI /SAML2/SSO/POST. Refer to the following example:

<meta-data>
	<name>IdpName.IDP_URI</name>
	<value>/idp/saml20/post</value>
</meta-data>

IdpName.IDP_TIMEOUT

The timeout value of the connection to the Identity Provider. If this metadata setting is not defined, the connection timeout is 60 seconds. Refer to the following example:

<meta-data>
	<name>IdpName.IDP_TIMEOUT</name>
	<value>120</value> <!-- wait 2 minutes -->
</meta-data>

IdpName.IDP_AUTH_TOKEN_SOURCE

Optional parameter that determines from where the authentication tokens for the IDP are taken. The default value is ltpa. The SAML authentication protocol begins with a request to the Identity provider. This request contains an authentication token, used to identify the caller at the Identity provider. The IdpName.IDP_AUTH_TOKEN_SOURCE parameter determines where this authentication token is taken from. Currently, two values are enabled:

ltpa

If the value ltpa is defined, then the Ajax proxy creates an LTPA token from the user subject of the Ajax proxy connection. This LTPA token is submitted to the Identity provider to authenticate the IDP request. For most authentication scenarios that are based on Tivoli Federated Identity Manager, the ltpa setting is the preferred one.

cookies

If the value cookies is defined, then the Ajax proxy uses authentication cookies from the local connection to authenticate the IDP request. The authentication cookie names are defined in the IdpName.IDP_AUTH_TOKEN.n metadata settings.

Refer to the following example:

<meta-data>
	<name>IdpName.IDP_AUTH_TOKEN_SOURCE</name>
	<value>cookies</value>
<! -- take cookie list from IDP_AUTH_TOKEN_COOKIE.n as authentication tokens -->
</meta-data>

IdpName.PARAM_NAME.n and IdpName.PARAM_VALUE.n

IdpName.PARAM_NAME.n is the name of a URL query parameter to the Identity Provider. Use this setting with IdpName.PARAM_VALUE.n, which defines the value of a URL query parameter to the Identity Provider. For both settings, n is a counter beginning with 1. Refer to the following example:

<meta-data>
	<name>IdpName.PARAM_NAME.1</name>
	<value>RequestBinding</value>
</meta-data>
<meta-data>
	<name>IdpName.PARAM_VALUE.1</name>
	<value>HTTPPost</value>
</meta-data>

IdpName.IDP_AUTH_COOKIE.n

The name of the authentication cookie, where n is a counter beginning with 1. If this metadata setting is not defined, the default authentication cookie is SAML20. Refer to the following example:

<meta-data>
	<name>IdpName.IDP_AUTH_COOKIE.1</name>
	<value>SAML20</value>
</meta-data>
<meta-data>
	<name>IdpName.IDP_AUTH_COOKIE.2</name>
	<value>another_cookie</value>
</meta-data>

IdpName.IDP_AUTH_TOKEN_COOKIE.n

The name of the authentication cookie that is used to authenticate against the Identity Provider to start the SAML authentication protocol. This metadata is only effective if the metadata IdpName.IDP_AUTH_TOKEN_SOURCE is set to cookies. Otherwise, the settings are ignored. The following example defines the authentication cookies MSISAuthenticated, MSISAuth, and MSISAuth1.

<meta-data>
	<name>IdpName.IDP_AUTH_TOKEN_COOKIE.1</name>
	<value>MSISAuthenticated</value>
</meta-data>
<meta-data>
	<name>IdpName.IDP_AUTH_TOKEN_COOKIE.2</name>
	<value>MSISAuth</value>
</meta-data>
<meta-data>
	<name>IdpName.IDP_AUTH_TOKEN_COOKIE.3</name>
	<value>MSISAuth1</value>
</meta-data>