SAML2SSOProfile

Definition

This is the most common used SAML profile. It allows the IdP to identify users and to give such information to Service Providers.

Screen overview

&&TODO&& se repite sign assertion, la segunda es sign Requests

Standard attributes

Class: class name (readOnly field).

Enabled: if it is checked (selected option is Yes) that protocol will be enable.

Sign Responses: ausually it can be set to never, as long as the assertions are signed. Its preferable to sign ~~response~~assertions ~~guarantees~~rather than responses, because the assertion can be forwarded by the service provider ~~that~~to another service provider, but the response ~~has been issued by the Identity Provider~~ ~~&&TODO&&~~
- ~~Conditional ¿Como funciona?~~
- ~~Always~~
- ~~Never~~
not.
Sign Assertions: it's advisable to sign every assertion, so it avoids assertion spoofing. The ~~&&TODO&&~~assertion can be forwarded by the service provider to another service provider.
Sign ~~Assertions~~Request: ~~&&TODO&&~~the identity provider will issue requests to service providers in order to perform the single logout process. Unless it is needed by any service provider, leave it to conditional.
Encrypt Assertions: ~~it's~~is a ~~good~~desired ~~practice~~feature, but some service provider, mainly public cloud service providers do not support it. Thus, the default value is to never encrypt, but you can set it to optional or always as needed.
- If you set it to optional and the public key of the service provider who is going to receive the assertion is available, it will be used to encrypt ~~assertions.~~it.
- If you set it ~~makes~~to ~~more~~never, ~~dificult~~it will not ever be encrypted in any case.
- If you set it to ~~diagnose~~always, ~~misconfiguration~~but ofthe ~~SAML~~remote ~~federation.~~service ~~Disable~~provider itencryption ~~only~~key ~~when~~is ~~needed.~~unknown, an exception will be raised.
Encrypt NameIds: encrypt Name Ids when they are not part of an assertion.
Assertion Proxy Count: sets the maximum number of ~~SAML proxies~~hops that can ~~forward~~be anaccepted for any assertion. A number of 0 ~~stands~~does ~~for~~not noset ~~limit.~~any limit
Include Attribute Statement: on
- If ~~SSO~~attribute ~~profile~~statements ~~will~~are ~~give~~not included (selected value is No), the service provider ~~every~~will receive the SAML assertion with the principal name, then the service provider will issue a attribute ~~bound~~statement request to the ~~identified~~service ~~user,~~provider ~~avoid~~to get them.
- If the ~~need for extra~~ attribute ~~requests.~~statements
  - ~~Include~~included ~~Attribute~~(selected ~~Statement~~value :is ~~&&TODO&&~~Yes), ~~este~~the esperformance unis ~~campo~~increased deas ~~texto~~this ~~debajo~~additional ~~del~~step ~~check~~is ~~anterior~~no longer needed. It is particularly recommended when using public cloud service providers.