85 lines
3.2 KiB
YAML
85 lines
3.2 KiB
YAML
key: saml
|
|
title: SAML 2.0
|
|
description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.
|
|
author: requarks.io
|
|
logo: https://static.requarks.io/logo/saml.svg
|
|
color: red darken-3
|
|
website: https://wiki.oasis-open.org/security/FrontPage
|
|
useForm: false
|
|
props:
|
|
entryPoint:
|
|
type: String
|
|
title: Entry Point
|
|
hint: Identity provider entrypoint (URL)
|
|
issuer:
|
|
type: String
|
|
title: Issuer
|
|
hint: Issuer string to supply to Identity Provider
|
|
audience:
|
|
type: String
|
|
title: Audience
|
|
hint: Expected SAML response Audience (if not provided, Audience won't be verified)
|
|
cert:
|
|
type: String
|
|
title: Certificate
|
|
hint: Public PEM-encoded X.509 signing certificate contents in base64 (e.g. 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='). If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
|
|
privateCert:
|
|
type: String
|
|
title: Private Certificate
|
|
hint: PEM formatted key used to sign the certificate.
|
|
decryptionPvk:
|
|
type: String
|
|
title: Decryption Private Key
|
|
hint: (optional) Private key that will be used to attempt to decrypt any encrypted assertions that are received.
|
|
signatureAlgorithm:
|
|
type: String
|
|
title: Signature Algorithm
|
|
hint: Signature algorithm used for signing requests
|
|
default: sha1
|
|
enum:
|
|
- sha1
|
|
- sha256
|
|
- sha512
|
|
identifierFormat:
|
|
type: String
|
|
title: Name Identifier format
|
|
default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
|
|
acceptedClockSkewMs:
|
|
type: Number
|
|
title: Accepted Clock Skew Milleseconds
|
|
hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
|
|
default: 0
|
|
disableRequestedAuthnContext:
|
|
type: Boolean
|
|
title: Disable Requested Auth Context
|
|
hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
|
|
default: false
|
|
authnContext:
|
|
type: String
|
|
title: Auth Context
|
|
hint: Name identifier format to request auth context.
|
|
default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
|
|
forceAuthn:
|
|
type: Boolean
|
|
title: Force Initial Re-authentication
|
|
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
|
|
default: false
|
|
providerName:
|
|
type: String
|
|
title: Provider Name
|
|
hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
|
|
default: wiki.js
|
|
skipRequestCompression:
|
|
type: Boolean
|
|
title: Skip Request Compression
|
|
hint: If enabled, the SAML request from the service provider won't be compressed.
|
|
default: false
|
|
authnRequestBinding:
|
|
type: String
|
|
title: Request Binding
|
|
hint: Binding used for request authentication from IDP.
|
|
default: 'HTTP-Redirect'
|
|
enum:
|
|
- HTTP-Redirect
|
|
- HTTP-POST
|