Genero SAML configuration
Specify entries in the configuration file to configure the Genero SAML service provider.
Entry | Description |
---|---|
saml.entityID |
Defines the SAML entity name for the JGAS, which is how the JGAS is represented to other SAML partners. Mandatory.
Default is urn:genero . |
saml.allowUnsecure |
Defines whether the JGAS accepts unsecured authentication mechanisms. Default is false
(recommended).A SAML authentication mechanism is unsecured if communication between the Identity Provider (IdP) and the JGAS is not performed either over HTTPS or with XML encryption. To secure a SAML communication, use
HTTPS (via ISAPI or FastCGI) or use XML-Encryption by setting the
|
saml.wantAssertionsSigned |
Defines whether SAML assertion coming from Identity Providers (IdPs) must be signed. Be aware that there is no guarantee that setting this attribute will change
how the IdP returns its response. The configuration of the IdP may not be affected. Important:
After changing the attribute, you must recreate the circle of trust so the IdP takes the attribute into account. Default is Setting this attribute to
It is recommended to have either (or both)
saml.wantAssertionsSigned and saml.wantResponseSigned set to true,
to ensure the request was not altered.
This entry also adds the |
saml.wantResponseSigned |
Defines whether SAML requests coming from the Identity Providers (IdPs) must be signed. Be aware that there is no guarantee that setting this attribute will change
how the IdP returns its response. The configuration of the IdP may not be affected. Important:
Default is
After changing the attribute, you must recreate the circle of trust so the IdP takes the attribute into account. false . It is recommended to have either (or both)
saml.wantAssertionsSigned and saml.wantResponseSigned set to true,
to ensure the request was not altered.
This entry does not add any attribute to the SAML metadata. |
Assertion encryption
xml.saml_encryption.x509
: path to the X.509 certificatexml.saml_encryption.key
: path to the RSA private key
You can use the same X.509 certificate and RSA private key for signature, encryption, and metadata signature.
Authentication signature
xml.saml_signature.x509
: path to the X.509 certificatexml.saml_signature.key
: path to the RSA private key
You can use the same X.509 certificate and RSA private key for signature, encryption, and metadata signature.
Metadata signature
xml.saml_metadata_signature.x509
: path to the X.509 certificatexml.saml_metadata_signature.key
: path to the RSA private key
You can use the same X.509 certificate and RSA private key for signature, encryption, and metadata signature.
Certificate authority
xml.keystore.calist
: paths to the CA certificates, in order of preference, separated by semicolons. For instance, the list would contain the names of files like ca.crt, cert-signed-by-ca.crt, and so on. The certificate files should be located in the same directory as the SAML configuration file, or you must specify the relative or absolute path to them.