# Profiles # Profiles ## Description

A profile is a protocol or subset of protocols implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile.

The accepted protocols are the following: 1. [OpenIDProfile](https://bookstack.soffid.com/books/federation/page/openidprofile "OpenIDProfile") 2. [SAML1ArtifactResolutionProfile](https://bookstack.soffid.com/books/federation/page/saml1artifactresolutionprofile "SAML1ArtifactResolutionProfile") 3. [SAML1AttributeQueryProfile](https://bookstack.soffid.com/books/federation/page/saml1attributequeryprofile "SAML1AttributeQueryProfile") 4. [SAML2ArtifactResolutionProfile](https://bookstack.soffid.com/books/federation/page/saml2artifactresolutionprofile "SAML2ArtifactResolutionProfile") 5. [SAML2AttributeQueryProfile](https://bookstack.soffid.com/books/federation/page/saml2attributequeryprofile "SAML2AttributeQueryProfile") 6. [SAML2ECPProfile](https://bookstack.soffid.com/books/federation/page/saml2ecpprofile "SAML2ECPProfile") 7. [SAML2SSOProfile](https://bookstack.soffid.com/books/federation/page/saml2ssoprofile "SAML2SSOProfile") 8. [CAS](https://bookstack.soffid.com/books/federation/page/cas) 9. [Radius](https://bookstack.soffid.com/books/federation/page/radius) ## Screen overview ![](https://bookstack.soffid.com/uploads/images/gallery/2021-10/embedded-image-jmli1u2k.png) When an identity provider is created, by default, all the profiles appear disabled (the profile is displayed strikethrough). It will be necessary to config one by one depending on your company needs. To config a profile you must click on the proper profile, and Soffid will display a new window to config it. ## Actions
**Open profile** If you click on a row of the profile list, Soffid will display a modal window with the data and configuration of the profile selected.
# OpenIDProfile ## Definition The Identity Provider will serve the OpenID-Connect protocol. It is possible to accept the default endpoints or modify them. You can check the server features visiting [https://<YOUR-IdP>/.well-known/openid-configuration](https:///.well-known/openid-configuration). That JSON gives you information about the oAuth authentication types allowed, the key URL, the soported authentication methods and the info about the endpoints defined.

You can download an example [openid-configuration.json](https://bookstack.soffid.com/attachments/29)

## Screen overview ![](https://bookstack.soffid.com/uploads/images/gallery/2021-09/embedded-image-spnf6stn.png) ## Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (selected option is Yes) that protocol will be enable. - **Discovery endpoint**: call this endpoint to request the OpenID-Connect provider metadata. - **Authorization endpoint**: call this endpoint to request or authorization grant. - **Token endpoint**: call this endpoint to get the token or to renew the token. - **Revoke endpoint:** call this endpoint when you finish and do not need more use the token. - **User info endpoint**: call this endpoint to request user information. # SAML1ArtifactResolutionProfile ## Definition Based on SAML version 1 standard. This profile is used when the Service Provider wants to resolve or check a received assertion. Screen overview [![image-1638533916859.png](https://bookstack.soffid.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638533916859.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-12/image-1638533916859.png) ## Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (selected option is Yes) that protocol will be enable. - **Sign Responses**:​ usually it can be set to never, as long as the assertions are signed. Its preferable to sign assertions rather than responses, because the assertion can be forwarded by the service provider to another service provider, but the response not. - **Sign Assertions**: it's advisable to sign every assertion, so it avoids assertion spoofing. The assertion can be forwarded by the service provider to another service provider. - **Sign Request**: the identity provider will issue requests to service providers in order to perform the single logout process. Unless it is needed by any service provider, leave it to conditional. # SAML1AttributeQueryProfile ## Definition Based on SAML version 1 standard. This profile is used when the SSOProfile does not include attributes statements in the assertion. This profile allows to the applications request user data. When you are configuring the profile, you could define what data will be encrypted and signed. ## Screen overview [![image-1638533961155.png](https://bookstack.soffid.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638533961155.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-12/image-1638533961155.png) Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (selected option is Yes) that protocol will be enable. - **Sign Responses**:​ usually it can be set to never, as long as the assertions are signed. Its preferable to sign assertions rather than responses, because the assertion can be forwarded by the service provider to another service provider, but the response not. - **Sign Assertions**: it's advisable to sign every assertion, so it avoids assertion spoofing. The assertion can be forwarded by the service provider to another service provider. - **Sign Request**: the identity provider will issue requests to service providers in order to perform the single logout process. Unless it is needed by any service provider, leave it to conditional. - **Outbound Artifact Type**: defaults to 4. Any other value is not supported. For more information, see SAML specification. - **Assertion** **Lifetime**: specifies the validity period for the generated assertions . The time period is specified using the ISO 8601 notation. The standard format follows the pattern: PnYnMnDTnHnMnS. Assertion Lifetime examples: - PT5M sets a duration of five minutes. - PT1H30M sets a duration of one hour and a half. - P3Y6M4DT12H30M5S" sets a duration of three years, six months, four days, twelve hours, thirty minutes, and five seconds. --- *[https://en.wikipedia.org/wiki/ISO\_8601 ](https://en.wikipedia.org/wiki/ISO_8601)* [*http://saml.xml.org/saml-specifications*](http://saml.xml.org/saml-specifications) # SAML2ArtifactResolutionProfile ## Definition Based on SAML version 1 standard. This profile is used when the Service Provider wants to resolve or check a received assertion. The profile configuration settings are quite similar to those present in SAML2SSOProfile. When you are configuring the profile, you could define what data will be encrypted and signed. ## Screen overview [![image-1638534011855.png](https://bookstack.soffid.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638534011855.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-12/image-1638534011855.png) ## Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (selected option is Yes) that protocol will be enable. - **Sign Responses**:​ usually it can be set to never, as long as the assertions are signed. Its preferable to sign assertions rather than responses, because the assertion can be forwarded by the service provider to another service provider, but the response not. - **Sign Assertions**: it's advisable to sign every assertion, so it avoids assertion spoofing. The assertion can be forwarded by the service provider to another service provider. - **Sign Request**: the identity provider will issue requests to service providers in order to perform the single logout process. Unless it is needed by any service provider, leave it to conditional. - **Encrypt Assertions**: is a desired feature, but some service providers, mainly public cloud service providers do not support it. Thus, the default value is to never encrypt, but you can set it to optional or always as needed. - If you set it to optional and the public key of the service provider who is going to receive the assertion is available, it will be used to encrypt it. - If you set it to never, it will not ever be encrypted in any case. - If you set it to always, but the remote service provider encryption key is unknown, an exception will be raised. - **Encrypt NameIds**: should be let to never. # SAML2AttributeQueryProfile ## Definition Based on SAML version 1 standard. This profile is used when the SSOProfile does not include attributes statements in the assertion. This profile allows to the applications request user data. When you are configuring the profile, you could define what data will be encrypted and signed. ## Screen overview [![image-1638534055413.png](https://bookstack.soffid.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638534055413.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-12/image-1638534055413.png) ## Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (selected option is Yes) that protocol will be enable. - **Sign Responses**: usually it is set to conditional or always, so as the service provider can verify the response authenticity. - **Sign Assertions**: is usually set to never, as long as the response is already signed. - **Sign Request**: not used, as the service provider will not need to generate requests. - **Outbound Artifact Type:** usually kept in blank, unless you are using old SAML 1 service. - **Assertion Lifetime:** specifies the validity period for the generated assertions. The time period is specified using the ISO 8601 notation. The standard format follows the pattern: PnYnMnDTnHnMnS. This means that PT5M sets a duration of five minutes. For instance, PT1H30M sets a duration of one hour and a half. - **Encrypt Assertions**: is a desired feature, but some service providers, mainly public cloud service providers do not support it. Thus, the default value is to never encrypt, but you can set it to optional or always as needed. - If you set it to optional and the public key of the service provider who is going to receive the assertion is available, it will be used to encrypt it. - If you set it to never, it will not ever be encrypted in any case. - If you set it to always, but the remote service provider encryption key is unknown, an exception will be raised. - **Encrypt NameIds**: should be let to never. - **Assertion Proxy Count**: sets the maximum number of hops that can be accepted for any assertion. A number of 0 does not set any limit. # SAML2ECPProfile ## Definition The Enhanced Client Profile is used when the Service Provider is not a web application. Nowadays, it is rarely used, as most mobile applications have shifted to OAuth or OpenIDConnect. When you are configuring the profile, you could define what data will be encrypted and signed. ## Screen overview [![image-1638534117678.png](https://bookstack.soffid.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638534117678.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-12/image-1638534117678.png) ## Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (selected option is Yes) that protocol will be enable. - **Sign Responses**:​ usually it can be set to never, as long as the assertions are signed. Its preferable to sign assertions rather than responses, because the assertion can be forwarded by the service provider to another service provider, but the response not. - **Sign Assertions**: it's advisable to sign every assertion, so it avoids assertion spoofing. The assertion can be forwarded by the service provider to another service provider. - **Sign Request**: the identity provider will issue requests to service providers in order to perform the single logout process. Unless it is needed by any service provider, leave it to conditional. - **Encrypt Assertions**: is a desired feature, but some service providers, mainly public cloud service providers do not support it. Thus, the default value is to never encrypt, but you can set it to optional or always as needed. - If you set it to optional and the public key of the service provider who is going to receive the assertion is available, it will be used to encrypt it. - If you set it to never, it will not ever be encrypted in any case. - If you set it to always, but the remote service provider encryption key is unknown, an exception will be raised. - **Encrypt NameIds**: should be let to never. - **Assertion Proxy Count**: sets the maximum number of hops that can be accepted for any assertion. A number of 0 does not set any limit - **Include Attribute Statement**: - - If the attribute statements are included (selected value is Yes), that is the user attributes are included on the response the performance is increased as this additional step is no longer needed. It is particularly recommended when using public cloud service providers. - If attribute statements are not included (selected value is No), the service provider will receive the SAML assertion with the principal name, then the service provider will issue a attribute statement request to the service provider to get them. - **Locality DNS Name** # SAML2SSOProfile ## Definition This is the most commonly used SAML profile. It allows the IdP to identify users and to give such information to Service Providers. This profile is used to log in. When you are configuring the profile, you could define what data will be encrypted and signed. ## Screen overview [![image-1638534204054.png](https://bookstack.soffid.com/uploads/images/gallery/2021-12/scaled-1680-/image-1638534204054.png)](https://bookstack.soffid.com/uploads/images/gallery/2021-12/image-1638534204054.png) ## Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (selected option is Yes) that protocol will be enabled. - **Sign Responses**:​ usually it can be set to never, as long as the assertions are signed. Its preferable to sign assertions rather than responses, because the assertion can be forwarded by the service provider to another service provider, but the response not. - **Sign Assertions**: it's advisable to sign every assertion, so it avoids assertion spoofing. The assertion can be forwarded by the service provider to another service provider. - **Sign Request**: the identity provider will issue requests to service providers in order to perform the single logout process. Unless it is needed by any service provider, leave it to conditional. - **Outbound Artifact Type**: usually kept in blank, unless you are using old SAML 1 service. - **Encrypt Assertions**: is a desired feature, but some service providers, mainly public cloud service providers do not support it. Thus, the default value is to never encrypt, but you can set it to optional or always as needed. - If you set it to optional and the public key of the service provider who is going to receive the assertion is available, it will be used to encrypt it. - If you set it to never, it will not ever be encrypted in any case. - If you set it to always, but the remote service provider encryption key is unknown, an exception will be raised. - **Encrypt NameIds**: should be let to never. - **Assertion Proxy Count**: sets the maximum number of hops that can be accepted for any assertion. A number of 0 does not set any limit - **Include Attribute Statement**: - If the attribute statements are included (selected value is Yes), that is the user attributes are included on the response the performance is increased as this additional step is no longer needed. It is particularly recommended when using public cloud service providers. - If attribute statements are not included (selected value is No), the service provider will receive the SAML assertion with the principal name, then the service provider will issue a attribute statement request to the service provider to get them. # CAS ## Definition Cas protocol is rarely used. ## Screen overview [![image-1661330455520.png](https://bookstack.soffid.com/uploads/images/gallery/2022-08/scaled-1680-/image-1661330455520.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661330455520.png) ## Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (the selected option is Yes) that protocol will be enabled. # Radius ## Definition Networking protocol that authorizes and authenticates users who access a remote network. ## Screen overview [![image-1661330603198.png](https://bookstack.soffid.com/uploads/images/gallery/2022-08/scaled-1680-/image-1661330603198.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661330603198.png) ## Standard attributes - **Class**: class name (readOnly field). - **Enabled**: if it is checked (selected option is Yes) that protocol will be enabled. - **Authentication port**: UDP authentication port. This port is used to log in. - **Accounting port**: UDP authentication port. This port is used to manage the session, when the session starts and when finishes. - **Enable PAP (unsecure)**: authentication protocol. The password to send is unencrypted. - **Enable CHAP**: authentication protocol. The password to send is encrypted. - **Enable MS CHAP v2**: authentication protocol.