SAMLProviderFilter
Deprecated
This filter is deprecated. Use the IdentityProviderState of nevisAuth instead. See /opt/nevisauth/examples for SAML examples.
Classname
ch::nevis::isiweb4::filter::saml::SAMLProviderFilter
Library
libSAMLFilters.so.1
Configuration
| Name | Type, Usage Constraints, Defaults | Description |
|---|---|---|
| AuthenticationServlet | string; required: basic connectivity | The name of the authentication servlet. An Esauth4ConnectorServlet or another authentication servlet with that name must be configured. |
| BindingType | string; required | The binding type used to transfer the SAML response. The following values may be configured:BrowserPOST: The SAML response is sent to the configured target location using an HTML page with self-submitting form. This HTML page is sent to the browser.DelegatePOST: The SAML response is sent to the backend using a simulated browser post. This means that an additional request with the SAML response is sent to the backend followed by the original request.Cookie: The SAML response is sent back to the browser in a domain cookie (name configurable). The browser is then redirected to a configurable location.Header: The SAML response is sent to the backend in an HTTP header field (name configurable). |
| Target | string; optional; default: none | Target of the SAML response. The configured value will be included in the SAML assertion and is also used as a target for redirects (BrowserPOST, Cookie) and backend locations (DelegatePOST).Alternatively, the target can be set via the AuthState in nevisAuth. |
| AudienceRestriction | string; optional; default: none | AudienceRestriction that will be embedded in the SAML assertion. |
| AppendQuerystring | boolean; optional; default: false | If set to true, the query string of the original request will be appended to the target location. |
| AppendPathInfo | boolean; optional; default: false | If set to true, the pathinfo of the original request will be appended to the target location. |
| BodyReadSize | integer; optional, advanced; default: 5120 | This attribute defines, how much of the HTTP body needs to be consumed to find the SAML data. |
| SourceIsBase64Encoded | boolean; optional, advanced; default: false | The SAML data may be base64 encoded by the provider. This flag signals to perform a base64 decoding first. |
| PropagateFromEnv | string array; optional, advanced | An array of <key>:<name> pairs which can be used to propagate additional environment data to the authentication service. |
BrowserPOST
The following additional parameters have to be configured when using BrowserPOST binding.
| Name | Type, Usage Constraints, Defaults | Description |
|---|---|---|
| ParameterName | string; optional; default: SAMLResponse | Name of the <FORM> field that will contain the SAML response. |
| RenderTemplate | string; optional, basic | An HTML file containing a render template to be used instead of the standard Browser-POST auto-submit form. The HTML file should contain a NEVIS_SAML_FORM variable that will be replaced. |
DelegatePOST
The following additional parameters have to be configured when using DelegatePOST binding.
| Name | Type, Usage Constraints, Defaults | Description |
|---|---|---|
| ParameterName | string | Name of the <FORM> field that will contain the SAML response. |
| DelegatePOSTValidStatus | integer | HTTP status code used by the identity consumer (backend) to signal a successful authentication. |
| DelegatePOSTResendStatus | integer | HTTP status code used by the identity consumer (backend) to signal a re-authentication. The simulated browser post will then be sent again followed by the original request. |
Cookie
The following additional parameters have to be configured when using Cookie binding.
| Name | Type, Usage Constraints, Defaults | Description |
|---|---|---|
| CookieName | string | Name of the cookie which will contain the SAML response. |
| CookieDomain | string | Domain set in the cookie. Has to start with a dot (e.g. http://adnovum.ch). |
| CookieHttpOnly | boolean; optional; default: true | Configures whether the "HttpOnly" attribute will be set to the cookie. |
| CookieSecure | boolean; optional; default: true | Configures whether the "Secure" attribute will be set to the cookie. |
| SourceIsBase64Encoded | boolean; default: false | Configures whether the SAML response received from the authentication service is already base64-encoded (no re-encoding needed then). |
Header
The following additional parameters have to be configured when using Header binding.
| Name | Type, Usage Constraints, Defaults | Description |
|---|---|---|
| HeaderName | string | Name of the HTTP header which will contain the SAML response. |