keycloak-scim/securing_apps/topics/saml/java/general-config/sp_element.adoc

52 lines
1.8 KiB
Text
Raw Normal View History

2016-06-02 16:07:45 +00:00
===== SP Element
2017-02-03 22:14:17 +00:00
Here is the explanation of the SP element attributes:
2016-06-02 16:07:45 +00:00
[source,xml]
----
<SP entityID="sp"
sslPolicy="ssl"
nameIDPolicyFormat="format"
forceAuthentication="true"
isPassive="false">
...
</SP>
----
entityID::
This is the identifier for this client.
2017-02-03 22:14:17 +00:00
The IdP needs this value to determine who the client is that is communicating with it. This setting is _REQUIRED_.
2016-06-02 16:07:45 +00:00
sslPolicy::
This is the SSL policy the adapter will enforce.
2016-06-02 20:50:43 +00:00
Valid values are: `ALL`, `EXTERNAL`, and `NONE`.
For `ALL`, all requests must come in via HTTPS.
For `EXTERNAL`, only non-private IP addresses must come over the wire via HTTPS.
For `NONE`, no requests are required to come over via HTTPS.
2017-02-03 22:14:17 +00:00
This setting is _OPTIONAL_. Default value is `EXTERNAL`.
2016-06-02 16:07:45 +00:00
nameIDPolicyFormat::
SAML clients can request a specific NameID Subject format.
Fill in this value if you want a specific format.
2017-02-03 22:14:17 +00:00
It must be a standard SAML format identifier: `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
This setting is _OPTIONAL_.
2016-06-02 16:07:45 +00:00
By default, no special format is requested.
forceAuthentication::
2017-02-03 22:14:17 +00:00
SAML clients can request that a user is re-authenticated even if they are already logged in at the IdP.
Set this to `true` to enable. This setting is _OPTIONAL_.
Default value is `false`.
2016-06-02 16:07:45 +00:00
isPassive::
2017-02-03 22:14:17 +00:00
SAML clients can request that a user is never asked to authenticate even if they are not logged in at the IdP.
2016-06-02 16:07:45 +00:00
Set this to `true` if you want this.
Do not use together with `forceAuthentication` as they are opposite. This setting is _OPTIONAL_.
Default value is `false`.
2016-06-02 16:07:45 +00:00
turnOffChangeSessionIdOnLogin::
2017-02-03 22:14:17 +00:00
The session ID is changed by default on a successful login on some platforms to plug a security attack vector.
Change this to `true` to disable this. It is recommended you do not turn it off.
Default value is `false`.
2016-06-02 16:07:45 +00:00