Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2.0

...

  • By default, if no value is set, the AuthnContext element of the AuthStatement will not contain AuthnContextClassRef value.
  • OpenID Connect Authentication Context Class Reference
    Defines the value of the OpenID Connect The Authentication Context Class. This field is optional. It is used in the OpenID Connect protocol messages to refer a group of authentication methods that share similar properties. This value is not unique to each authentication method and the same value may be assigned to many similar methods.This value is used in userinfo response message and idtoken to set the value of acr claim.
    This value is also used to determine which methods satisfy a requested acr_values in an incoming authorization request. This is used to determine which method or methods will be available to the user for login.
  • Format
    Set or assert the value of the attribute Format in SAML message NameID element.
    • set formatname → Sets the value to formatname
    • assert formatname → Assert that the value is formatname and in case it’s not, the authentication is denied.
    • any → For internal methods, use the default value. For external/proxy methods, use the value in the received NameID/username. (Default when Format is empty)
    Where formatname can be one of: 
    • unspecified - The interpretation of the content of the element is left to individual implementations.
    • transient - Indicates that the content of the element is an identifier with transient semantics and SHOULD be treated as an opaque and temporary value by the relying party.
    • persistent - Indicates that the content of the element is a persistent opaque identifier for a principal that is specific to an identity provider and a service provider or affiliation of service providers.
    • emailAddress - Indicates that the content of the element is in the form of an email address, specifically "addr-spec" as defined in IETF RFC 2822 Section 3.4.1. An addr-spec has the form local-part@domain. Note that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by "<" and ">".
    • X509SubjectName - Indicates that the content of the element is in the form specified for the contents of the <ds:X509SubjectName> element in the XML Signature Recommendation. Implementors should note that the XML Signature specification specifies encoding rules for X.509 subject names that differ from the rules given in IETF RFC 2253.
    • WindowsDomainQualifiedName - Indicates that the content of the element is a Windows domain qualified name. A Windows domain qualified user name is a string of the form "DomainName\UserName". The domain name and "\" separator MAY be omitted.
    • encrypted - The special Format value urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted indicates that the resulting assertion(s) MUST contain  elements instead of plaintext. The underlying name identifier's unencrypted form can be of any type supported by the identity provider for the requested subject. See SAML Core 3.4.1.1.
    • kerberos - Indicates that the content of the element is in the form of a Kerberos principal name using the format name[/instance]@REALM. The syntax, format and characters allowed for the name, instance, and realm are described in IETF RFC 1510.
    • entity - Indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile).
    Empty value is equal to modifier any.
    Note that using this feature to set the Format attribute of the NameID does not assert that NameID conforms the specifications explained above. For example, the format of a NameID containing an email address as its content can be set to X509SubjectName here, even though it does not conform the specification of X509SubjectName.
  • NameQualifier
    Set or assert the value of the NameQualifier attribute in SAML message NameID elements.

...

Figure 6: Configuring SPI Password authentication method
  • Password encoding
    Password policy enhancements
    Define the name of the one-way hashing algorithm that is used to store passwords of users in Ubisecure Directory. the Directory Service used by the password Authentication Method.
    • Supported values: {SSHA512}, {SHA512}, {SSHA384}, {SHA384}, {SSHA256}, {SHA256}, {SSHA}, {SHA}, {PKCS5S2}, {PBKDF2}, {MD4}, {PLAIN}
     and empty value. The
    • An empty value means that the default password encoding of the Directory Service
    used by the password method
    • is used
    . This varies depending on the type of the Directory Service
    • . For example, for SQL it is {SSHA} and for Ubisecure Directory it is {SSHA}. Please consult the specific Directory Integration guide for the default password encoding.
    If
    • For Active Directory
    is used as an external directory
    • integrations, the encryption configuration of the Active Directory instance is used explicitly and the value set here is not used.

Password Policy Enhancements

...




Please refer to the pages


for instructions on installing and configuring the Discovery Services methods.

...