wikijs-fork/server/modules/authentication/saml/definition.yml

165 lines
5.5 KiB
YAML

key: saml
title: SAML 2.0
description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.
author: requarks.io
logo: https://static.requarks.io/logo/saml.svg
color: red darken-3
website: https://wiki.oasis-open.org/security/FrontPage
isAvailable: true
useForm: false
props:
entryPoint:
type: String
title: Entry Point
hint: Identity provider entrypoint (URL)
order: 1
issuer:
type: String
title: Issuer
hint: Issuer string to supply to Identity Provider
order: 2
audience:
type: String
title: Audience
hint: Expected SAML response Audience (if not provided, audience won't be verified)
order: 3
cert:
type: String
title: Certificate
hint: Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
multiline: true
order: 4
privateKey:
type: String
title: Private Key
hint: PEM formatted key used to sign the certificate.
multiline: true
order: 5
decryptionPvk:
type: String
title: Decryption Private Key
hint: (Optional) - Private key that will be used to attempt to decrypt any encrypted assertions that are received.
multiline: true
order: 6
signatureAlgorithm:
type: String
title: Signature Algorithm
hint: Signature algorithm used for signing requests
maxWidth: 400
order: 7
default: sha1
enum:
- sha1
- sha256
- sha512
digestAlgorithm:
type: String
title: Digest Algorithm
hint: Digest algorithm used to provide a digest for the signed data object
maxWidth: 400
order: 8
default: sha1
enum:
- sha1
- sha256
- sha512
identifierFormat:
type: String
title: Name Identifier format
default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
order: 20
wantAssertionsSigned:
type: Boolean
title: Always sign assertions
hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions.
default: false
order: 21
acceptedClockSkewMs:
type: Number
title: Accepted Clock Skew Milleseconds
hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
default: 0
order: 22
disableRequestedAuthnContext:
type: Boolean
title: Disable Requested Auth Context
hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
default: false
order: 23
authnContext:
type: String
title: Auth Context
hint: Name identifier format to request auth context. For multiple values, join them together using the | pipe symbol.
default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
order: 24
racComparison:
type: String
title: RAC Comparison Type
hint: Requested Authentication Context comparison type.
maxWidth: 400
order: 25
default: exact
enum:
- exact
- minimum
- maximum
- better
forceAuthn:
type: Boolean
title: Force Initial Re-authentication
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
default: false
order: 26
passive:
type: Boolean
title: Passive
hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction.
default: false
order: 27
providerName:
type: String
title: Provider Name
hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
default: wiki.js
order: 28
skipRequestCompression:
type: Boolean
title: Skip Request Compression
hint: If enabled, the SAML request from the service provider won't be compressed.
default: false
order: 29
authnRequestBinding:
type: String
title: Request Binding
hint: Binding used for request authentication from IDP.
maxWidth: 400
order: 30
default: 'HTTP-POST'
enum:
- HTTP-Redirect
- HTTP-POST
mappingUID:
title: Unique ID Field Mapping
type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string.
order: 40
mappingEmail:
title: Email Field Mapping
type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
hint: The field storing the user email. Can be a variable name or a URI-formatted string.
order: 41
mappingDisplayName:
title: Display Name Field Mapping
type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
hint: The field storing the user display name. Can be a variable name or a URI-formatted string.
order: 42
mappingPicture:
title: Avatar Picture Field Mapping
type: String
default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
order: 43