keycloak-scim/securing_apps/topics/saml/java/general-config/sp_element.adoc


===== SP Element

Here is the explanation of the SP element attributes: 

[source,xml]
----

<SP entityID="sp"
    sslPolicy="ssl"
    nameIDPolicyFormat="format"
    forceAuthentication="true"
    isPassive="false"
    autodetectBearerOnly="false">
...
</SP>
----
entityID::
  This is the identifier for this client.
  The IdP needs this value to determine who the client is that is communicating with it. This setting is _REQUIRED_.

sslPolicy::
  This is the SSL policy the adapter will enforce.
  Valid values are: `ALL`, `EXTERNAL`, and `NONE`.
  For `ALL`, all requests must come in via HTTPS.
  For `EXTERNAL`, only non-private IP addresses must come over the wire via HTTPS.
  For `NONE`, no requests are required to come over via HTTPS.
  This setting is _OPTIONAL_. Default value is `EXTERNAL`.

nameIDPolicyFormat::
  SAML clients can request a specific NameID Subject format.
  Fill in this value if you want a specific format.
  It must be a standard SAML format identifier: `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
  This setting is _OPTIONAL_.
  By default, no special format is requested. 

forceAuthentication::
  SAML clients can request that a user is re-authenticated even if they are already logged in at the IdP.
  Set this to `true` to enable. This setting is _OPTIONAL_.
  Default value is `false`.

isPassive::
  SAML clients can request that a user is never asked to authenticate even if they are not logged in at the IdP.
  Set this to `true` if you want this.
  Do not use together with `forceAuthentication` as they are opposite. This setting is _OPTIONAL_.
  Default value is `false`.

turnOffChangeSessionIdOnLogin::
  The session ID is changed by default on a successful login on some platforms to plug a security attack vector.
  Change this to `true` to disable this.  It is recommended you do not turn it off.
  Default value is `false`.

autodetectBearerOnly::
  This should be set to __true__ if your application serves both a web application and web services (e.g. SOAP or REST).
  It allows you to redirect unauthenticated users of the web application to the Keycloak login page,
  but send an HTTP `401` status code to unauthenticated SOAP or REST clients instead as they would not understand a redirect to the login page.
  Keycloak auto-detects SOAP or REST clients based on typical headers like `X-Requested-With`, `SOAPAction` or `Accept`.
  The default value is _false_.

logoutPage::
  This sets the page to display after logout. If the page is a full URL, such as `http://web.example.com/logout.html`,
  the user is redirected after logout to that page using the HTTP `302` status code. If a link without scheme part is specified,
  such as `/logout.jsp`, the page is displayed after logout, _regardless of whether it lies in a protected area according
  to `security-constraint` declarations in web.xml_, and the page is resolved relative to the deployment context root.
initial saml 2016-06-02 16:07:45 +00:00
			`===== SP Element`

WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			`Here is the explanation of the SP element attributes:`
initial saml 2016-06-02 16:07:45 +00:00
			`[source,xml]`
			`----`

			`<SP entityID="sp"`
			`sslPolicy="ssl"`
			`nameIDPolicyFormat="format"`
			`forceAuthentication="true"`
KEYCLOAK-4980 SAML adapter should return 401 when unauthenticated Ajax client accesses 2017-06-06 14:50:33 +00:00			`isPassive="false"`
			`autodetectBearerOnly="false">`
initial saml 2016-06-02 16:07:45 +00:00			`...`
			`</SP>`
			`----`
			`entityID::`
			`This is the identifier for this client.`
WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			`The IdP needs this value to determine who the client is that is communicating with it. This setting is _REQUIRED_.`
initial saml 2016-06-02 16:07:45 +00:00
			`sslPolicy::`
			`This is the SSL policy the adapter will enforce.`
saml general config 2016-06-02 20:50:43 +00:00			Valid values are: `ALL`, `EXTERNAL`, and `NONE`.
			For `ALL`, all requests must come in via HTTPS.
			For `EXTERNAL`, only non-private IP addresses must come over the wire via HTTPS.
			For `NONE`, no requests are required to come over via HTTPS.
WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			This setting is _OPTIONAL_. Default value is `EXTERNAL`.
initial saml 2016-06-02 16:07:45 +00:00
			`nameIDPolicyFormat::`
			`SAML clients can request a specific NameID Subject format.`
			`Fill in this value if you want a specific format.`
WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			It must be a standard SAML format identifier: `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
Update topics/saml/java/general-config/sp_element.adoc 2016-06-10 11:02:09 +00:00			`This setting is _OPTIONAL_.`
initial saml 2016-06-02 16:07:45 +00:00			`By default, no special format is requested.`

			`forceAuthentication::`
WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			`SAML clients can request that a user is re-authenticated even if they are already logged in at the IdP.`
Update topics/saml/java/general-config/sp_element.adoc 2016-06-10 11:03:57 +00:00			Set this to `true` to enable. This setting is _OPTIONAL_.
Update topics/saml/java/general-config/sp_element.adoc 2016-06-10 11:01:17 +00:00			Default value is `false`.
initial saml 2016-06-02 16:07:45 +00:00
			`isPassive::`
WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			`SAML clients can request that a user is never asked to authenticate even if they are not logged in at the IdP.`
initial saml 2016-06-02 16:07:45 +00:00			Set this to `true` if you want this.
Update topics/saml/java/general-config/sp_element.adoc 2016-06-10 11:02:09 +00:00			Do not use together with `forceAuthentication` as they are opposite. This setting is _OPTIONAL_.
Update topics/saml/java/general-config/sp_element.adoc 2016-06-10 11:01:17 +00:00			Default value is `false`.
initial saml 2016-06-02 16:07:45 +00:00
			`turnOffChangeSessionIdOnLogin::`
WIP: mod_auth_mellon edits 2017-02-03 22:14:17 +00:00			`The session ID is changed by default on a successful login on some platforms to plug a security attack vector.`
Update topics/saml/java/general-config/sp_element.adoc 2016-06-10 11:04:44 +00:00			Change this to `true` to disable this. It is recommended you do not turn it off.
Update topics/saml/java/general-config/sp_element.adoc 2016-06-10 11:01:17 +00:00			Default value is `false`.
initial saml 2016-06-02 16:07:45 +00:00
KEYCLOAK-4980 SAML adapter should return 401 when unauthenticated Ajax client accesses 2017-06-06 14:50:33 +00:00			`autodetectBearerOnly::`
			`This should be set to __true__ if your application serves both a web application and web services (e.g. SOAP or REST).`
			`It allows you to redirect unauthenticated users of the web application to the Keycloak login page,`
			but send an HTTP `401` status code to unauthenticated SOAP or REST clients instead as they would not understand a redirect to the login page.
			Keycloak auto-detects SOAP or REST clients based on typical headers like `X-Requested-With`, `SOAPAction` or `Accept`.
			`The default value is _false_.`
KEYCLOAK-7094 Support redirect to external logout page 2018-05-30 20:30:34 +00:00
			`logoutPage::`
			This sets the page to display after logout. If the page is a full URL, such as `http://web.example.com/logout.html`,
			the user is redirected after logout to that page using the HTTP `302` status code. If a link without scheme part is specified,
			such as `/logout.jsp`, the page is displayed after logout, _regardless of whether it lies in a protected area according
			to `security-constraint` declarations in web.xml_, and the page is resolved relative to the deployment context root.