Federations Configuration

The Federation module is used to integrate Verify Identity Access with third party applications to provide or accept identity information. This module can be use fro both: supplying third party applications with identity information (Verify Identity Access is the identity source); or accepting identity information (Verify Identity Access is the identity consumer).

Integration with third party applications is achieved via Identity standards, such as OIDC or SAML 2.0.

Example

attribute_sources:
- name: "SF_IDPEmail"
  type: "value"
  value: "user@verify-demoer-dev-ed.salesforce.com"
- name: "IDPEmail"
  type: "value"
  value: "user@verify.securitypoc.com"
- name: "ImmutableID"
  type: "value"
  value: "verifytestuser"
federations:
- name: "SP-SAML-QC"
  protocol: "SAML2_0"
  template_name: "QuickConnect"
  point_of_contact_url: "https://www.myidp.ibmsec/isva"
  provider_id: ""
  decrypt_keystore: "rt_profile_keys"
  decrypt_key_label: "server"
  signing_keystore: "rt_profile_keys"
  signing_key_label: "runtime"
  sso_service_binding: "redirect"
  partners:
  - name: "Salesforce"
    role: "sp"
    client_auth_method: "none"
    template_name: "Salesforce_JIT_Provisioning_Disabled"
    enabled: true
    acs:
      binding: "post"
      default: true
      index: 0
      url: "https://verify-demoer-dev-ed.my.salesforce.com"
    validate_authn_request: true
    validation:
      keystore: "rt_profile_keys"
      key_label: "Verify_19.crt"
    attribute_mapping:
      name: "IDP_Email"
      source: "3"
    active_delegate_id: "default-map"
    provider_id: "https://verify-demoer-dev-ed.my.salesforce.com"
    signature_validation: false
    mapping_rule: "mapping/rules/federations/adv_attribute_mapping.js"
  - name: "Micrsoft Office 365"
    template_name: "Office_365"
    role: "sp"
    enabled: true
    acs:
      binding: "post"
      default: true
      index: "0"
      url: "https://login.microsoftonline.com/login.srf"
    validate_authn_request: false
    attribute_mapping:
    - name: "IDPEmail"
      source: "1"
    - name: "ImmutableID"
      source: "2"
    active_delegate_id: "default-map"
    provider_id: "urn:federation:MicrosoftOnline"
    signature_validation: false
    mapping_rule: "mapping/rules/federations/adv_attribute_mapping.js"
               - name: "SP-SAML-CIC"
  role: "ip"
  protocol: "SAML2_0"
  provider_id: ""
  point_of_contact_url: "https://www.myidp.ibmsec/isva"
  template_name: ""
  company_name: "CIC"
  decrypt_keystore: "rt_profile_keys"
  decrypt_key_label: "runtime"
  signing_keystore: "rt_profile_keys"
  signing_key_label: "runtime"
  validate_authn_request: true
  sso_service_binding: "post"
  active_delegate_id: "skip-identity-map"
  need_consent_to_federate: false
  message_issuer_format: ""
  partners:
  - name: "securitypoc.ice.ibmcloud.com"
    role: "sp"
    enabled: true
    acs:
    - binding: "post"
      default: false
      index: "1"
      url: "https://securitypoc.ice.ibmcloud.com/saml/sps/saml20sp/saml20/login"
    - binding: "redirect"
      default: false
      index: "2"
      url: "https://securitypoc.ice.ibmcloud.com/saml/sps/saml20sp/saml20/login"
    single_logout_service:
    - binding: "post"
      url: "https://securitypoc.ice.ibmcloud.com/saml/sps/saml20sp/saml20/slo"
    - binding: "redirect"
      url: "https://securitypoc.ice.ibmcloud.com/saml/sps/saml20sp/saml20/slo"
    validate:
      authn_request: true
      logout_request: true
      logout_response: false
      keystore: "rt_profile_keys"
      key_label: "validation-encryption-1501211921641.cer"
    encryption:
      keystore: "rt_profile_keys"
      key_label: "validation-encryption-1501211921641.cer"
      block_encryption_algorithm: "AES-128"
      key_transport_algorithm: "RSA-OAEP"
    provider_id: "https://securitypoc.ice.ibmcloud.com/saml/sps/saml20sp/saml20"
    signature_algorithm: "RSA-SHA1"
    signature_digest_algorithm: "SHA1"
  reverse_proxy: "default-proxy"
- name: "OIDCRP-IBMid"
  protocol: "OIDCRP"
  redirect_uri_prefix: "https://login.ibm.com/oidc"
  response_types:
  - "code"
  active_delegate_id: "default-map"
  mapping_rule: "mapping/rules/federations/verify_ibm_id.js"
  advanced_configuration_active_delegate: "default-map"
  advanced_configuration_mapping_rule: "mapping/rules/federations/verify_ibm_id_adv.js"
  partners:
  - name: "IBMid-AuthorizationCode"
    enabled: true
    client_id: !secret default/isva-secrets:ibmid_client_id
    client_secret: !secret default/isva-secrets:ibmid_client_secret
    metadata_endpoint: "https://login.ibm.com/oidc/endpoint/default/.well-known/openid-configuration"
    scope:
    - "openid"
    token_endpoint_auth_method: "client_secret_post"
    signing_algorithm: "RS256i"
  reverse_proxy: "default-proxy"

Point Of Contact

To configure Point of Contact profiles, see the entry in the Appliance or Container documentation.

Alias Service

The alias service stores and retrieves aliases that are related to a federated identity. Persistent name identifier format allows you to link a user at the identity provider with a user at the service provider. Verify Identity Access stores these account linkages in a high-volume database or an LDAP database.

class src.ibmvia_autoconf.federation.FED_Configurator.Alias_Service

Example:

alias_service:
  ldap_connection: "LocalLDAP"
  aliases:
  - username: "mary"
    federation_id: "https://mysp.com/isam/sps/samlsp/saml20"
    type: "partner"
    aliases:
    - "mary@ibm.com"
    - "mary@au.ibm.com"
class Alias
aliases: List[str]

An array of aliases to associate with the user.

federation: str

The federation this alias is for.

partner: str | None

Optionally, specify a partner as well as a federation.

type: str | None

The type of the aliases. Valid values are “self”, “partner”, or “old”. Defaults to “self”.

username: str

The user to associate aliases with.

aliases: List[Alias] | None

The SAML aliases to create.

db_type: str

The alias database type, “JDBC” or “LDAP”.

ldap_base_dn: str

The baseDN to search for the user entry.

ldap_connection: str

The LDAP server connection name.

Attribute Sources

To set Attribute sources, see the entry in the Appliance or Container documentation.

Access Policies

To set Access policy configuration, see the entry in the Appliance or Container documentation.

Security Token Service

class src.ibmvia_autoconf.federation.FED_Configurator.Security_Token_Service

Example:

sts:
  chain_templates:
  - name: "UsernameTokentoSAML20"
      description: "Maps from UsernameToken to SAML20"
      modules:
      - id: "Default UserNameToken"
      mode: "validate"
      - id: "Default Map Module"
      mode: "map"
      - id: "Default SAML 2.0 Token"
      mode: "issue"
  - name: "STSUUtoSTSUU"
      description: "STSUU to STSUU"
      modules:
      - id: "Default STSUU"
      mode: "validate"
      - id: "Default Map Module"
      mode: "map"
      - id: "Default STSUU"
      mode: "issue"
  chains:
  - name: "SAML20ToSAML20Chain"
    description: "Chain for saml20 to saml20"
    chain_template: "SAML20tpSAML20"
    request_type: "validate"
    applies_to:
        address: "http://appliesto/saml20"
    issuer:
        address: "http://issuer/saml20"
    sign_responses: false
    properties:
        myself:
        - name: "com.tivoli.am.fim.sts.saml.2.0.assertion.replay.validation"
          index: 0
          value:
          - "false"
        - name: "map.rule.reference.name"
          index: 1
          value:
          - "saml20_to_saml20"
class Chain
class Key_Identifier
include_certificate_data: bool | None

Whether to include the BASE64 encoded certificate data with your signature.

include_issuer_details: bool | None

Whether to include the issuer name and the certificate serial number with the signature.

include_public_key: bool | None

Whether to include the public key with the signature.

include_subject_key_identifier: bool | None

Whether to include the X.509 subject key identifier with the signature.

include_subject_name: bool | None

Whether to include the subject name with the signature.

key_alias: str

The label of the key.

key_store: str

The keystore name for the key.

class Name_Address
address: str

The URI of the company or enterprise.

port_type_name: str | None

The local part of a qualified name for a Web service port type.

port_type_namespace: str | None

The namespace URI part of a qualified name for a Web service port type.

service_name: str | None

The local part of a qualified name for a Web service.

service_namespace: str | None

The namespace URI part of a qualified name for a Web service.

class Properties
class AttributeMapping
class Item

The names of valid chain template properties differ for each chain template module. The final name of the property being set is determined by the index in the chain template (to fetch the UUID prefix of the chain template module bing configured) and the name of the property. For example, the properties:

index: 1
name: rule.type
value:
- "JAVASCRIPT"

would result in a property of:

{"name": "071dcbe-93e3-11ee-a5af-14755ba358db.rule.type", "value": ["JAVASCRIPT"]}
index: str

The index in the chain template of the property being set.

name: str

The name of the configuration property.

value: List[str]

The values of the configuration property.

myself: List[Item] | None

The self properties for all modules within the STS Chain Template referenced in the STS Chain

partner: List[Item] | None

The partner properties for all modules within the STS Chain Template referenced in the STS Chain

applies_to: Name_Address | None

The scope of the token.

chain_template: str

The name of the STS Chain Template that is referenced by this STS Chain.

description: str

A description of the STS Chain.

issuer: Name_Address | None

The issuer of the token.

name: str

A friendly name for the STS Chain.

properties: Properties | None

The properties for all modules within the STS Chain Template referenced in the STS Chain.

request_type: str

The type of request to associate with this chain. The request is one of the types that are supported by the WS-Trust specification.

send_validation_confirmation: bool | None

Whether to send signature validation confirmation.

sign_responses: bool | None

Whether to sign the Trust Server SOAP response messages.

signature_key: Key_Identifier | None

The key to sign the Trust Server SOAP response messages.

token_type: str | None

The STS module type to map a request message to an STS Chain Template.

validate_requests: bool | None

Whether requires a signature on the received SOAP request message that contains the RequestSecurityToken message.

validation_key: Key_Identifier | None

The key to validate the received SOAP request message.

xpath: str | None

The custom lookup rule in XML Path Language to map a request message to an STS Chain Template.

class Chain_Template
class Item
id: str

The token id of an STS module.

mode: str

The mode the STS module is used in in the chain. Must be one of the supported modes of the STS module.

prefix: str | None

The prefix for the chain item.

description: str

A description of the STS Chain Template.

modules: List[Item]

An array of the modules that make up the STS Chain Template.

name: str

A friendly name for the STS Chain Template.

chain_templates: List[Chain_Template] | None

List of STS chain templates to create or update.

chains: List[Chain] | None

List of STS chains to create or update.

Federations

class src.ibmvia_autoconf.federation.FED_Configurator.Federations

Example:

federations:
- name: "saml20idp"
    protocol: "SAML2_0"
    role: "ip"
    export_metadata: "idpmetadata.xml"
    webseal:
      name: default
      runtime:
          username: easuser
          password: secret
          hostname: isva-idp-runtime
          port: 9443
      reuse_acls: true
      reuse_certs: true
    configuration:
      company_name: "IdP Company"
      point_of_contact_url: "https://www.myidp.ibm.com/isam"
      assertion_settings:
          valid_before: 300
          valid_after: 300
      need_consent_to_federate: false
      signature_settings:
          validation_options:
            validate_authn_request: true
          signing_options:
            sign_authn_response: true
            sign_logout_request: true
            sign_logout_response: true
            signing_key_identifier:
          store: "myidpkeys"
          label: "CN=idp,OU=Security,O=IBM,C=AU"
          key_info_elements:
            include_x509_certificate_data: true
            include_x509_subject_name: false
            include_x509_subject_key_identifier: false
            include_x509_issuer_details: false
            include_public_key: false
      identity_mapping:
          active_delegate_id: "default-map"
          properties:
            mapping_rule: "ip_saml20"
      extension_mapping:
        active_delegate_id: "skip-extension-map"
      name_id_format:
        default: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      single_sign_on_service:
      - binding: "post"
      - binding: "redirect"
      exclude_session_index_in_single_logout_request: false
      single_logout_service:
      - binding: "post"
      - binding: "redirect"
      encryption_settings:
          decryption_key_identifier:
            store: "myidpkeys"
            label: "CN=idp,OU=Security,O=IBM,C=AU"
      message_valid_time: 300
      session_timeout: 7200
class Federation
class OIDC_Relying_Party
advanced_configuration: Advanced_Configuration

The advanced configuration data.

attribute_mappings: Attribute_Mapping | None

The attribute mapping data.

identity_mapping: Identity_Mapping

The identity mapping data.

redirect_uri_prefix: str

The reverse proxy address to prepend to the redirect URI sent to the provider to communicate with this instance. An example is https://www.reverse.proxy.com/mga. For the value https://www.reverse.proxy.com/mga, the kickoff uri would be https://www.reverse.proxy.com/mga/sps/oidc/rp/<FEDERATION_NAME>/kickoff/<PARTNER_NAME> and the redirect uri https://www.reverse.proxy.com/mga/sps/oidc/rp/<FEDERATION_NAME>/redirect/<PARTNER_NAME>

response_types: List[str]

List of response types which determine the flow to be executed. Valid values to be included are code, token, id_token. This selects the default flow to run when a metadata URL is specified in the partner configuration.

class OIDC_Relying_Party_Partner
advance_configuration: Advanced_Configuration | None

The advance configuration data.

attribute_mappings: Attribute_Mapping | None

The attribute mapping data.

basic_configuration: Basic_Configuration

The basic configuration data.

client_id: str

The ID that identifies this client to the provider.

client_secret: str | None

The secret associated with the client ID. Do not include if creating a public client.

content_encryption_algorithm: str | None

The content encryption algorithm to use. Supported values are none, A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM.

decryption_key_label: str | None

When key management algorithm requires a certificate, the alias of the private key in the selected keystore to perform JWT decryption.

decryption_keystore: str | None

When key management algorithm requires a certificate, the keystore which contains the selected certificate to perform JWT decryption.

identity_mapping: Identity_Mapping | None

The identity mapping data.

jwks_endpoint_url: str | None

When signature algorithm requires a certificate, the JWK endpoint of the provider. If a metadata endpoint is specified in BasicConfigurationData, the JWK URL will be read from metadata information. Cannot be specified if using a signingKeyLabel.

key_management_algorithm: str | None

The key management algorithm to use. Supported values are none, dir, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, RSA1_5, RSA-OAEP and RSA-OAEP-256.

name: str

Name of the OIDC Relying Party partner.

perform_user_info: bool | None

A setting that specifies whether to perform user info request automatically whenever possible.

scope: List[str] | None

An array of strings that identify the scopes to request from the provider. Defaults to ["openid"].

signature_algorithm: str | None

The signing algorithm to use. Supported values are none, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512.

token_endpoint_auth_method: str

The token endpoint authentication method. Valid values are client_secret_basic and client_secret_post.

verification_key_label: str | None

When signature algorithm requires a certificate, the alias of the public key in the selected keystore to use in signature verification.

verification_keystore: str | None

When signature algorithm requires a certificate, the keystore which contains the selected certificate to perform the signing.

class Partner
metadata: str

Path to XML metadata file which contains the partner’s configuration properties.

name: str

Name of the federation partner to create

class SAML20_Identity_Provider
access_policy: str | None

The access policy that should be applied during single sign-on.

alias_service_settings: Alias_Service_Settings | None

The alias service settings to store the user alias.

artifact_lifetime: int | None

The number of seconds that an artifact is valid. The default value is 120. This setting is enabled only when HTTP artifact binding has been enabled.

artifact_resolution_services: List[Artifact_Resolution_Service] | None

Endpoints where artifacts are exchanged for actual SAML messages. Required if artifact binding is enabled.

assertion_settings: Assertion_Settings | None

The assertion settings.

attribute_mappings: Attribute_Mapping | None

The attribute mapping data.

company_name: str

The name of the company that creates the identity provider or service provider.

encryption_settings: Encryption_Settings | None

The encryption and decryption configurations for SAML messages.

exclude_session_index_in_single_logout_request: bool | None

A setting that specifies whether the LogoutRequest messages sent out from this entity will exclude SessionIndex during IP init SLO flow. The default value is false.

extension_mapping: Extension_Mapping

The extension mapping data.

identity_mapping: Identity_Mapping

The identity mapping data.

manage_name_id_services: List[Service_Data] | None

Endpoints that accept SAML name ID management requests or responses.

message_issuer_format: str | None

The format of the issuer of SAML message. The default value is urn:oasis:names:tc:SAML:2.0:nameid-format:entity.

message_issuer_name_qualifier: str | None

The name qualifier of the issuer of SAML messaged.

message_valid_time: int | None

The number of seconds that a message is valid. The default value is 300.

name_id_format: Name_Id_Format | None

The name identifier format configurations.

A setting that specifies whether to ask user’s consent before linking the account. The default value is true.

point_of_contact_url: str

The endpoint URL of the point of contact server. The point of contact server is a reverse proxy server that is configured in front of the runtime listening interfaces. The format is http[s]://hostname[:portnumber]/[junction]/sps.

provider_id: str | None

A unique identifier that identifies the provider to its partner provider. If not provided or an empty string is provided, the default value is <point of contact URL>/<federation name>/saml20.

session_timeout: int | None

The number of seconds that the SAML session remains valid. The default value is 7200.

signature_settings: Signature_Settings | None

The signing and validation configurations for SAML messages and assertions.

single_logout_service: List[Service_Data] | None

Endpoints that accept SAML logout requests or responses.

single_sign_on_service: List[Single_Sign_On_Service] | None

Endpoints at an Identity Provider that accept SAML authentication requests.

class SAML20_Identity_Provider_Partner
access_policy: str | None

The access policy that should be applied during single sign-on.

artifact_resolution_services: Artifact_Resolution_Service | None

Partner’s endpoints where artifacts are exchanged for actual SAML messages. Required if artifact binding is enabled.

assertion_consumer_services: List[Assertion_Consumer_Service]

Partner’s endpoints that receive SAML assertions.

assertion_settings: Assertion_Settings

The assertion settings.

attribute_mappings: Attribute_Mapping | None

The attribute mapping data.

encryption_settings: Encryption_Settings | None

The encryption and decryption configurations for SAML messages.

extension_mapping: Extension_Mapping

The extension mapping data.

identity_mapping: Identity_Mapping | None

The identity mapping data.

include_fed_id_in_alias_partner_id: bool | None

A setting that specifies whether to append federation ID to partner ID when mapping user aliases. The default value is false.

logout_request_lifetime: int | None

A setting that specifies Logout request lifetime in number of seconds. If not provided, the default value is 120.

manage_name_id_services: List[Service_Data] | None

Partner’s endpoints that accept SAML name ID management requests or responses.

name_id_format: Name_Id_Format | None

The name identifier format configurations.

provider_id: str

A unique identifier that identifies the partner.

signature_settings: Signature_Settings | None

The signing and validation configurations for SAML messages and assertions.

single_logout_service: Service_Data | None

Partner’s endpoints that accept SAML logout requests or responses.

soap_settings: SOAP_Settings | None

A setting that specifies the connection parameters for the SOAP endpoints.

class SAML20_Service_Provider
alias_service_settings: Alias_Service_Settings | None

The alias service settings to store the user alias.

artifact_lifetime: int | None

The number of seconds that an artifact is valid. The default value is 120. This setting is enabled only when HTTP artifact binding has been enabled.

artifact_resolution_services: List[Artifact_Resolution_Service]

Endpoints where artifacts are exchanged for actual SAML messages. Required if artifact binding is enabled.

assertion_consumer_services: List[Assertion_Consumer_Service]

Endpoints at a Service Provider that receive SAML assertions.

attribute_mappings: Attribute_Mapping | None

The attribute mapping data.

authn_req_mapping: Authn_Req_Mapping

The authentication request mapping data.

company_name: str

The name of the company that creates the identity provider or service provider.

encryption_settings: Encryption_Settings | None

The encryption and decryption configurations for SAML messages.

extension_mapping: Extension_Mapping

The extension mapping data.

identity_mapping: Identity_Mapping

The identity mapping data.

manage_name_id_services: List[Service_Data] | None

Endpoints that accept SAML name ID management requests or responses.

message_issuer_format: str | None

The format of the issuer of SAML message. The default value is urn:oasis:names:tc:SAML:2.0:nameid-format:entity.

message_issuer_name_qualifier: str | None

The name qualifier of the issuer of SAML messaged.

message_valid_time: int | None

The number of seconds that a message is valid. The default value is 300.

name_id_format: Name_Id_Format | None

The name identifier format configurations.

point_of_contact_url: str

The endpoint URL of the point of contact server. The point of contact server is a reverse proxy server that is configured in front of the runtime listening interfaces. The format is http[s]://hostname[:portnumber]/[junction]/sps.

provider_id: str | None

A unique identifier that identifies the provider to its partner provider. If not provided or an empty string is provided, the default value is <point of contact URL>/<federation name>/saml20.

session_timeout: int | None

The number of seconds that the SAML session remains valid. The default value is 7200.

signature_settings: Signature_Settings | None

The signing and validation configurations for SAML messages and assertions.

single_logout_service: List[Service_Data] | None

Endpoints that accept SAML logout requests or responses.

class SAML20_Service_Provider_Partner
anonymous_user_name: str | None

This is a one-time name identifier that allows a user to access a service through an anonymous identity. The user name entered here is one that the service provider will recognize as a one-time name identifier for a legitimate user in the local user registry.

artifact_resolution_services: Artifact_Resolution_Service | None

Partner’s endpoints where artifacts are exchanged for actual SAML messages. Required if artifact binding is enabled.

assertion_settings: Assertion_Settings | None

The assertion settings.

attribute_mappings: Attribute_Mapping | None

The attribute mapping data.

authn_req_mapping: Authn_Req_Mapping

The authentication request mapping data.

default_target_url: str | None

Default URL where end-user will be redirected after the completion of single sign-on.

encryption_settings: Encryption_Settings | None

The encryption and decryption configurations for SAML messages.

extension_mapping: Extension_Mapping | None

The extension mapping data.

force_authn_to_federate: bool | None

A setting that specifies whether to force user to authenticate before linking the account.

identity_mapping: Identity_Mapping | None

The identity mapping data.

include_fed_id_in_alias_partner_id: bool | None

A setting that specifies whether to append federation ID to partner ID when mapping user aliases.

manage_name_id_services: List[Service_Data] | None

Partner’s endpoints that accept SAML name ID management requests or responses.

map_unknown_aliases: bool | None

A setting that specifies whether to map non-linked persistent name ID to one-time username.

name_id_format: Name_Id_Format | None

The name identifier format configurations.

provider_id: str

A unique identifier that identifies the partner.

signature_settings: Signature_Settings | None

The signing and validation configurations for SAML messages and assertions.

single_logout_service: List[Service_Data] | None

Partner’s endpoints that accept SAML logout requests or responses.

single_sign_on_service: List[Single_Sign_On_Service] | None

Partner’s endpoints that accept SAML authentication requests.

soap_settings: SOAP_Settings | None

A setting that specifies the connection parameters for the SOAP endpoints.

class WSFed_Identity_Provider
assertion_settings: Assertion_Settings | None

The assertion settings.

company_name: str | None

The name of the company that creates the identity provider or service provider.

identity_mapping: Identity_Mapping

The identity mapping data.

point_of_contact_url: str

The endpoint URL of the point of contact server. The point of contact server is a reverse proxy server that is configured in front of the runtime listening interfaces. The format is http[s]://hostname[:portnumber]/[junction]/sps.

class WSFed_Identity_Provider_Partner
attribute_types: List[str] | None

Specifies the types of attributes to include in the assertion. The default, an asterisk (*), includes all the attribute types that are specified in the identity mapping file.

endpoint: str

The endpoint of the WS-Federation partner.

identity_mapping: Identity_Mapping

The identity mapping data.

include_certificate_data: bool | None

Whether to include the BASE64 encoded certificate data with the signature. Defaults to true if not specified.

include_issuer_details: bool | None

Whether to include the issuer name and the certificate serial number with the signature. Defaults to false if not specified.

include_public_key: bool | None

Whether to include the public key with the signature. Defaults to false if not specified.

include_subject_key_identifier: bool | None

Whether to include the X.509 subject key identifier with the signature. Defaults to false if not specified.

include_subject_name: bool | None

Whether to include the subject name with the signature. Defaults to false if not specified.

max_request_lifetime: int

The amount of time that the request is valid (in milliseconds).

realm: str

The realm of the WS-Federation partner.

sign_saml_assertion: bool | None

Whether or not the assertion needs to be signed.

signature_algorithm: str | None

The signature algorithm to use for signing SAML assertions. Valid values include RSA-SHA1, RSA-SHA256 or RSA-SHA512. Only required if sign_saml_assertion is set to tru

signing_key_identifier: Key_Identifier | None

The certificate to use for signing the SAML assertions. Only required if sign_saml_assertion is set to true.

subject_confirmation_method: str | None

The subject confirmation method. Must be one of [No Subject Confirmation Method, urn:oasis:names:tc:SAML:1.0:cm:bearer, urn:oasis:names:tc:SAML:1.0:cm:holder-of-key or urn:oasis:names:tc:SAML:1.0:cm:sender-vouches].

use_inclusive_namespace: bool | None

Whether or not to use the InclusiveNamespaces construct. Defaults to true if not specified.

class WSFed_Service_Provider
company_name: str

The name of the company that creates the identity provider or service provider.

identity_mapping: Identity_Mapping

The identity mapping data.

point_of_contact_url: str

The endpoint URL of the point of contact server. The point of contact server is a reverse proxy server that is configured in front of the runtime listening interfaces. The format is http[s]://hostname[:portnumber]/[junction]/sps.

replay_validation: bool

Whether to enable one-time assertion use enforcement.

class WSFed_Service_provider_Partner
endpoint: str

The endpoint of the WS-Federation partner.

identity_mapping: Identity_Mapping

The identity mapping data.

key_alias: Key_Identifier | None

The keystore and certificate to use to validate the signature. Only required if verifySignatures is set to true and use_key_info is set to false.

key_info: str | None

The regular expression used to find the X509 certificate for signature validation. Only required if verify_signatures is set to true and use_key_info is set to true.

max_request_lifetime: int

The amount of time that the request is valid (in milliseconds).

realm: str

The realm of the WS-Federation partner.

use_key_info: bool | None

Whether to use the keyInfo of the XML signature to find the X509 certificate for signature validation (true) or the specified key_alias (false). Only required if verify_signatures is set to true.

verify_signatures: bool | None

Whether to enable signature validation. Defaults to false if not specified.

want_multiple_attribute_statements: bool

Whether to create multiple attribute statements in the Universal User.

class Webseal
reuse_acls: bool

A flag to indicate that any existing ACLs with the same name should be reused. If they are not reused, they will be replaced.

reuse_certs: bool

If the SSL certificate has already been saved, this flag indicates that the certificate should be reused instead of overwritten.

runtime: Runtime

Runtime server properties.

configuration: SAML20_Identity_Provider | SAML20_Service_Provider | OIDC_Relying_Party | WSFed_Identity_Provider | WSFed_Service_Provider

The protocol-specific configuration data. The contents of this JSON object will be different for each protocol.

export_metadata: str | None

‘idpmetadata.xml’

Type:

Optional path to file to write Federation’s XML metadata file to. eg

import_partners: List[Partner] | None

List of XML metadata documents which define partners for a configured Federation.

name: str

A meaningful name to identify this federation.

partners: SAML20_Identity_Provider_Partner | SAML20_Service_Provider_Partner | OIDC_Relying_Party_Partner | WSFed_Identity_Provider_Partner | None

List of federation partners to create for each federations.

protocol: str

The name of the protocol to be used in the federation. Valid values are SAML2_0 and OIDC10.

role: str

The role of a federation. Use ip for a SAML 2.0 identity provider federation, and sp for a SAML 2.0 service provider federation. Use op for an OpenID Connect Provider federation, and rp for an OpenID Connect Relying Party federation.

template_name: str | None

An identifier for the template on which to base this federation

webseal: Webseal | None

Optional properties for the webseal configuration wizard

federations: List[Federation]

List of federations and associated partner properties.

class src.ibmvia_autoconf.federation.Federation_Common

Data structures which are shared between the different types of Federation protocols/roles.

class Advanced_Configuration
active_delegate_id: str

The active module instance. Valid values are skip-advance-map and default-map.

mapping_rule: str

A reference to an ID or name of an advance configuration mapping rule.

rule_type: str

The type of the mapping rule. The only supported type currently is JAVASCRIPT.

class Alias_Service_Settings
db_type: str

A setting that specifies whether the user’s alias is store in jdbc or ldap.

ldap_base_dn: str

A setting that specifies the LDAP BaseDN to search for the user.

ldap_connection: str

A setting that specifies the LDAP Connection to store the alias.

class Artifact_Resolution_Service
binding: str

A setting that specifies the communication method used to transport the SAML messages. The valid value is soap.

default: bool | None

A setting that specifies whether it is the default endpoint. If not provided, the default value is false.

index: int | None

A reference to a particular endpoint. The default value is 0.

url: str | None

The URL of the endpoint. If not provided, the value is automatically generated from the point of contact URL.

class Assertion_Consumer_Service
binding: str

A setting that specifies the communication method used to transport the SAML messages. The valid values are artifact, post, and redirect.

default: bool

A setting that specifies whether it is the default endpoint.

index: int

A reference to a particular endpoint.

url: str

The URL of the endpoint.

class Assertion_Settings
attribute_types: List[str] | None

A setting that specifies the types of attributes to include in the assertion. An asterisk (*) indicates that all of the attribute types that are specified in the identity mapping file or by the custom mapping module will be included in the assertion. The default value is ["*"]. This configuration is applicable to an identity provider federation partner.

create_multiple_attribute_statements: bool | None

A setting that specifies whether to keep multiple attribute statements in the groups in which they were received. This option might be necessary if your custom identity mapping rules are written to operate on one or more specific groups of attribute statements.

session_not_on_or_after: int | None

The number of seconds that the security context established for the principal should be discarded by the service provider. The default value is 3600. This configuration is applicable to an identity provider federation partner.

valid_after: int | None

The number of seconds the assertion is valid after being issued. This configuration is applicable to an identity provider federation. The default value is 60.

valid_before: int | None

The number of seconds before the issue date that an assertion is considered valid. This configuration is applicable to an identity provider federation. The default value is 60.

class Attribute_Mapping
name: str

Name of the source.

source: str

Attribute Source ID.

class Authn_Req_Mapping
active_delegate_id: str

The active mapping module instance. Valid values are skip-authn-request-map and default-map. If this is a partner the value federation-config is also valid.

mapping_rule: str

A reference to an ID or name of an authentication request mapping rule.

class Basic_Configuration
active_delegate_id: str

The active module instance. Valid values are noMetadata and metadataEndpointUrl.

authorization_endpoint_url: str | None

The /authorize endpoint URL of the provider. Only valid if active_delegate_id is noMetadata.

issuer_identifier: str | None

The issuer iss value of the provider. Only valid if active_delegate_id is noMetadata.

metadata_endpoint_url: str | None

The /metadata endpoint URL of the provider. Only valid if active_delegate_id is metadataEndpointUrl.

response_types: List[str] | None

List of response type which determines which flow to be executed. Valid values to be included are code, token, id_token. Only valid if active_delegate_id is noMetadata.

token_endpoint_url: str | None

The /token endpoint URL of the provider. Required if “code” response type is selected. Only valid if active_delegate_id is noMetadata.

user_info_endpoint_url: str | None

The /userinfo endpoint URL of the provider. Only valid if active_delegate_id is noMetadata.

class Encryption_Settings
class Key_Identifier
label: str

The certificate or key label.

store: str

The certificate database name.

block_algorithm: str | None

Block encryption algorithm used to encrypt and decrypt SAML message. Valid values are AES-128, AES-192, AES-256, and TRIPLEDES. If not provided, the default value is AES-128.

decryption_key_identifier: Key_Identifier | None

A public/private key pair that the federation partners can use to encrypt certain message content. The default value is null.

encrypt_assertion: bool

A setting that specifies whether to encrypt assertions.

encrypt_assertion_attributes: bool

A setting that specifies whether to encrypt assertion attributes.

encrypt_name_id: bool

A setting that specifies whether the name identifiers should be encrypted.

key_alias: str

The certificate or key label.

key_identifier: Key_Identifier | None

The certificate for encryption of outgoing SAML messages. If not provided, the default value is null.

key_store: str

The certificate database name.

key_transport_algorithm: str | None

Key transport algorithm used to encrypt and decrypt keys. Valid values are RSA-v1.5 and RSA-OAEP. If not provided, the default value is RSA-OAEP. If the supplied key_identifier corresponds to a network HSM device, the RSA-OAEP key transport is not allowed.

class Extension_Mapping
active_delegate_id: str

The active mapping module instance. Valid values are skip-extension-map and default-map. If this is a partner the value federation-config is also valid.

mapping_rule: str

A reference to an ID or name of an extension mapping rule.

class Identity_Mapping
class Custom_Mapping_Properties
applies_to: str

Refers to STS chain that consumes call-out response. Required if WSTRUST message_format is specified, invalid otherwise.

auth_type: str

Authentication method used when contacting external service. Supported values are NONE, BASIC or CERTIFICATE

basic_auth_password: str | None

Password for authentication to external service. Required if BASIC auth_type is specified, invalid otherwise.

basic_auth_username: str | None

Username for authentication to external service. Required if BASIC auth_type is specified, invalid otherwise.

client_key_alias: str | None

Alias of the key for HTTPS client authentication. Required if CERTIFICATE auth_type is specified, invalid otherwise.

client_key_store: str | None

Contains key for HTTPS client authentication. Required if CERTIFICATE auth_type is specified, invalid otherwise.

issuer_uri: str | None

Refers to STS chain that provides input for call-out request. Required if WSTRUST message_format is specified, invalid otherwise.

message_format: str

Message format of call-out request. Supported values are XML or WSTRUST.

ssl_key_store: str

SSL certificate trust store to use when validating SSL certificate of external service.

uri: str

Address of destination server to call out to.

class Default_Mapping_Properties
mapping_rule: str

A reference to an ID or name of a mapping rule.

rule_type: str

The type of the mapping rule. The only supported type currently is JAVASCRIPT.

active_delegate_id: str

The active mapping module instance. Valid values are skip-identity-map, default-map and default-http-custom-map.

properties: Default_Mapping_Properties | Custom_Mapping_Properties

The mapping module specific properties.

class Key_Identifier
label: str

The certificate or key label.

store: str

The certificate database name.

class Name_Id_Format
default: str | None

The name identifier format to use when the format attribute is not set, or is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. If provided, it takes precedence over the value that is configured for this partner’s federation. If not provided, the value that is configured for this partner’s federation is used.

supported: List[str] | None

The list of supported name identifier formats. The default value is [urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:SAML:2.0:nameid-format:transient, urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified].

class Runtime
hostname: str

The hostname of the runtime.

password: str

The password used to authenticate with the runtime.

port: str

The port of the runtime. Must be the SSL port.

username: str

The username used to authenticate with the runtime.

class SOAP_Settings
class Client_Auth_Data
basic_auth_password: str | None

The basic authentication password.

basic_auth_username: str | None

The basic authentication username.

client_key_alias: str | None

The personal certificate label.

client_key_store: str | None

The certificate database name.

method: str

The authentication method. To enable the basic authentication method, enter ba. To enable the client certificate authentication, enter cert. To disable client authentication, enter none.

class Server_Certificate_Validation
label: str | None

The certificate label. If not provided, all certificates in the specified certificate database will be trusted.

store: str

The certificate database name.

client_auth_data: Client_Auth_Data

The client authentication data.

server_cert_validation: Server_Certificate_Validation

The server certificate validation data.

class Service_Data
binding: str

A setting that specifies the communication method used to transport the SAML messages. The valid values are artifact, post, redirect and soap.

url: str | None

The URL of the endpoint. Except for “soap” binding, the value is automatically generated from the point of contact URL and will not be updated by POST or PUT operation. For soap binding, if not provided, the value is automatically generated from the point of contact URL.

class Signature_Settings
class Key_Identifier
label: str

The certificate or key label.

store: str

The certificate database name.

class Key_Info_Elements
include_public_key: bool | None

A setting that specifies whether to include the public key in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is false.

include_x509_certificate_data: bool | None

A setting that specifies whether to include the base 64 encoded certificate data to be included in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is true.

include_x509_issuer_details: bool | None

A setting that specifies whether to include the issuer name and the certificate serial number in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is false.

include_x509_subject_key_identifier: bool | None

A setting that specifies whether to include the X.509 subject key identifier in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is false.

include_x509_subject_name: bool | None

A setting that specifies whether to include the subject name in the KeyInfo element in the digital signature when signing a SAML message or assertion. The default value is false.

class Signing_Options
sign_artifact_request: bool | None

A setting that specifies whether to sign the artifact request. The default value is false.

sign_artifact_response: bool | None

A setting that specifies whether to sign the artifact response. The default value is false.

sign_assertion: bool | None

A setting that specifies whether to sign the assertion. The default value is false.

sign_authn_response: bool | None

A setting that specifies whether to sign the authentication responses. The default value is false.

sign_logout_request: bool | None

A setting that specifies whether to sign the authentication responses. The default value is false.

sign_logout_response: bool | None

A setting that specifies whether to sign the logout response. The default value is false.

sign_name_id_management_request: bool | None

A setting that specifies whether to sign the name ID management request. The default value is false.

sign_name_id_management_response: bool | None

A setting that specifies whether to sign the name ID management response. The default value is false.

class Validation_Options
validate_artifact_request: bool | None

A setting that specifies whether to validate the digital signature of an artifact request.

validate_artifact_response: bool | None

A setting that specifies whether to validate the digital signature of an artifact response.

validate_assertion: bool | None

A setting that specifies whether to validate the digital signature of an assertion. The default value is false.

validate_authn_request: bool | None

A setting that specifies whether to validate the digital signature of an authentication request. The default value is false.

validate_logout_request: bool | None

A setting that specifies whether to validate the digital signature of a logout request.

validate_logout_response: bool | None

A setting that specifies whether to validate the digital signature of a logout response.

validate_name_id_management_request: bool | None

A setting that specifies whether to validate the digital signature of a name ID management request.

validate_name_id_management_response: bool | None

A setting that specifies whether to validate the digital signature of a name ID management response.

digest_algorithm: str

The hash algorithm to apply to the transformed resources and validate its integrity. Valid values are SHA1, SHA256 and SHA512. If not provided, the default value matches the configured signature algorithm - SHA1 for RSA-SHA1, SHA256 for RSA-SHA256, and SHA512 for RSA-SHA512.

include_inclusive_namespaces: bool | None

A setting that specifies whether to include the InclusiveNamespaces element in the digital signature. If provided, it takes precedence over the value that is configured for this partner’s federation. If not provided, the value that is configured for this partner’s federation is used.

key_info_elements: Key_Info_Elements | None

The KeyInfo elements to include in the digital signature.

signature_algorithm: str

The signature algorithm to sign and validate SAML messages and assertions. Valid values are RSA-SHA1, RSA-SHA256, and RSA-SHA512. If not provided, the default value is RSA-SHA256.

signing_key_identifier: Key_Identifier | None

A public/private key pair for signing the SAML messages and the assertion. If not provided, the default value is null.

signing_options: Signing_Options | None

The signing options.

validation_key_identifier: Key_Identifier | None

The certificate to use to validate the signatures on the incoming SAML assertions and messages. The default value is null.

validation_options: Validation_Options | None

The validation options.

class Single_Sign_On_Service
binding: str

A setting that specifies the communication method used to transport the SAML messages. The valid values are artifact, post and redirect.

url: str

The URL of the endpoint.

Advanced Configuration Parameters

To set Advanced Configuration Properties, see the entry in the Appliance or Container documentation.

HTTP Template Files

To upload HTTP template files, see the entry in the Appliance or Container documentation.

JavaScript Mapping Rules

To upload JavaScript mapping rules, see the entry in the Appliance or Container documentation.

Server Connections

To configure third party Server Connections, see the entry in the Appliance or Container documentation.

Runtime Server Configuration

To set Runtime Server properties, see the entry in the Appliance or Container documentation.