SecureTransport 5.5 Administrator Guide Save PDF Selected topic Selected topic and subtopics All content Sample SSO configuration file for end-users <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!-- This is a sample file for SSO configuration for End-user component. --> <SSOConfiguration> <!-- Configures certificate validation. Validates the Service Provider and Identity Providers certificates specified in its configuration. Validation happens at start-up and at regular intervals. Optional. --> <!-- Attributes: 1) trustStoreInitializer - Set com.axway.st.server.sso.impl.TrustStoreInitializer value for trustStoreInitializer in order to use SecureTransport trust store. Recommended value: com.axway.st.server.sso.impl.TrustStoreInitializer 2) delayBetweenValidations - Defines at which interval certificates validation occurs, in hours. Default value is 3 hours. --> <CertificateValidation trustStoreInitializer="com.axway.st.server.sso.impl.TrustStoreInitializer" delayBetweenValidations="3"> </CertificateValidation> <!-- Configures the service provider. --> <!-- Main attributes: entityId - Sets the unique identifier of the service provider. This identifier is sent to the Identity Provider so it can know who is requesting an authentication or a logout. This identifier is used by the Identity Provider to differentiate what Service Provider is requesting an authentication or a logout. filteredUri - Specifies the URI of the authentication process entry point. The value must be /* logoutUri - Specifies the URI which triggers logout process. The value must be /logout. logoutRedirectUri - Specifies the URI to redirect to the initial logout message generated. In turn that message will be redirected to a Identity Provider. The value must be /logoutRedirect. keystoreInitializer - Configures key store to use. That key store keeps key-pairs taking part in authentication process. Set com.axway.st.server.sso.impl.KeyStoreInitializer value in order to use SecureTransport local key store. keyAlias - Specifies key alias of the private key used to decrypt SAML messages and assertions and to sign SAML messages and assertions. sessionIdCookieName - Sets the name of the cookie to store the SSO session identifier if sessions are managed by the SSO module. --> <ServiceProvider entityId="st.sso.enduser" filteredUri="/*" logoutUri="/logout" logoutRedirectUri="/logoutRedirect" keystoreInitializer="com.axway.st.server.sso.impl.KeyStoreInitializer" keyAlias="ssokey" sessionIdCookieName="STEndUserSsoCookie" useAppSessions="false" > <!-- Specifies an entry points for receiving SAML Assertions from the Identity Provider. The below tags are recommended. --> <AssertionConsumerService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="/saml2/sso/post"/> <AssertionConsumerService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="/saml2/sso/redirect"/> <AssertionConsumerService binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" location="/saml2/sso/paos"/> <SingleLogoutService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="/saml2/slo/post"/> <SingleLogoutService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="/saml2/slo/redirect"/> <!-- Features tag is optional - Here are the default values --> <Features> <!-- Configures the session cookie whether to be set with Secure flag. Recommended value: true. --> <Feature key="secure-cookie" value="true" /> <!-- Type of unique identifier generator to use to assign ids to SAML messages. The value must be com.axway.st.server.sso.impl.UIDGenerator --> <Feature key="uid-generator" value="com.axway.st.server.sso.impl.UIDGenerator" /> </Features> <!-- Identity Provider resolution provides support for choosing the right Identity Provider based on configuration and run-time metadata. If such resolution is not present, the first Identity Provider is selected among ones specified under IdentityProviders element below. The supported ways to do that are by: 1) Query parameter provided by a user request (see the example below). 2) Header value provided by a user request. An example follow: <Header name="idp_id"> <Mapping value="keycloakIdp" entityId="https://st.keycloak.axway.int/" /> <Mapping value="shibbolethIdp" entityId="https://st.shibboleth.axway.int/" /> <Mapping value="kerbIdP" entityId="kerberos" /> </Header> In the example above if a user authentication request has header with name 'idp_id' and corresponding value equals to 'keycloakIdp', then Identity Provider with entityId equals to https://st.keycloak.axway.int/ will be chosen to authenticate the user agent. Note: Only one of these way can be done. --> <IdentityProviderResolution> <!-- Identity provider mapping using a query parameter. The name of query parameter resolution will be searched for in request parameters during runtime and its value should match to the value attribute of a Mapping element. If both query parameter name and value match, then corresponding entityId is used to select Identity Provider. Examples: 1) https://localhost/?idp_id=keycloakIdp in the below case will match the Identity provider with entityId=https://st.keycloak.axway.int/ 2) https://localhost/?idp_id=shibbolethIdp in the below case will match the Identity provider with entityId=https://st.shibboleth.axway.int/ 3) https://localhost/?idp_id=kerbIdP in the below case will match the Identity provider with entityId=kerberos --> <QueryParameter name="idp_id"> <!-- Note: The name of the query parameter/header should match the value of the ST configuration option LoginSettings.EndUser.SSO.idpResolverKey. --> <!-- Note: Ensure the name of the query parameter/header to be different than ST configuration option LoginSettings.EndUser.SSO.localIdpId in order to be able to configure selection of ST as local authentication provider and SSO Identity Providers. --> <Mapping value="keycloakIdp" entityId="https://st.keycloak.axway.int/" /> <Mapping value="shibbolethIdp" entityId="https://st.shibboleth.axway.int/" /> <Mapping value="kerbIdP" entityId="kerberos" /> </QueryParameter> </IdentityProviderResolution> <!-- This element is optional. Tenant resolution provides support for choosing the right Identity Provider based on configuration and run-time metadata. If both tenant resolution and identity provider resolutions are present, then tenant resolution takes precedence. Tenants are defined inside Identity Providers so resolving the IdP in turn will resolve a tenant. The supported ways to do that are by: 1) QueryParameter <QueryParameter name="idp_id"> <Mapping tenant="Axway" entityId="https://st.keycloak.axway.int/" /> <Mapping tenant="Sopra" entityId="https://st.shibboleth.axway.int/" /> <Mapping tenant="Apple" entityId="kerberos" /> </QueryParameter> 2) Header (example below) Notes: 1) Only one of these way can be done. 2) Header evaluation takes precedence on query parameter one. 3) If mapping is not present, IdentityProviderResolution is used. If IdentityProviderResolution is not present first listed IdP is used. --> <TenantResolution> <!-- Note: The name of the query parameter/header should match the value of the ST configuration option LoginSettings.EndUser.SSO.idpResolverKey. --> <!-- Note: Ensure the name of the query parameter/header to be different than ST configuration option LoginSettings.EndUser.SSO.localIdpId in order to be able to configure selection of ST as local authentication provider and SSO Identity Providers. --> <Header name="idp_id"> <Mapping tenant="Axway" entityId="https://st.keycloak.axway.int/" /> <Mapping tenant="Sopra" entityId="https://st.shibboleth.axway.int/" /> <Mapping tenant="Apple" entityId="kerberos" /> </Header> </TenantResolution> </ServiceProvider> <!-- Identity provider definitions. Configures various aspects of interaction with identity providers. --> <IdentityProviders> <!-- Main attributes: entityId - Sets the unique identifier of the service provider. This identifier is sent to the Identity Provider so it can know who is requesting an authentication or a logout. Add here EntityDescriptor entityID value, from the idpMetadata.xml metadataUrl - Specify the relative location of the metadata file. Specifies a relative location of the metadata file to sso-enduser.xml file. NOTE: ST does not support the metadata URL to be a HTTP site. configurationUrl - should be an absolute path to Kerberos configuration file. NOTE: ST does not support the configuration URL to be a network path. verifyAssertionExpiration - Turn on/off verification of the validity period of assertions. Consider to set to false if service provider and identity provider times are not synchronized. Default: true. sign - If set to true, all SAML messages and their assertions sent by the service provider will be signed. There are a couple of features (see below) for fine-grained control of signing. Optional - if not present, default value is false. userNameAttribute - Sets the name of the identity provider attribute that provides the user name. --> <!-- Sample Keycloak Identity provider definition. --> <SamlIdentityProvider entityId="https://st.keycloak.axway.int/" metadataUrl="./keycloak-idp-metadata.xml" verifyAssertionExpiration="false" sign="true"> <!-- Mappings tag is optional --> <Mappings> <!-- Filter mapping is optional. --> <FilterMapping> <Filter>(department=426 AXW RD SOFIA)</Filter> <OutputAttribute name="role">Developer</OutputAttribute> </FilterMapping> <!-- With this mapping, you can rename an attribute from the Identity Provider, keeping its value. --> <!-- A system attributes mapping. For email, UID, GID and homeDir ST expects the following renaming. --> <RenameMapping source="email" target="fdxEmail" /> <RenameMapping source="uid" target="fdxUid" /> <RenameMapping source="gid" target="fdxGid" /> <RenameMapping source="homeDir" target="fdxHomeDir" /> <!-- Custom attributes mapping examples (optional).--> <RenameMapping source="department" target="department" /> <RenameMapping source="username" target="username" /> <RenameMapping source="full name" target="fullName" /> <RenameMapping source="last name" target="lastName" /> </Mappings> <!-- Features control specific behavior of SAML message processing. --> <Features> <!-- Allows interaction with the IdP by plain HTTP. Default: false. --> <Feature key="saml-allow-http-connection" value="false"/> <!-- Allows unsigned assertions in messages received from the Identity Provider. Default: false. --> <Feature key="saml-allow-unsigned-assertion" value="false"/> <!-- Enable or disable the signature verification of the metadata file and the certification path of the certificate used to sign. Set to false if metadata file is not signed. Default: true. --> <Feature key="saml-verify-metadata-signature" value="false"/> <!-- Enable or disable signing of Authentication Request messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-authnrequest" value="true"/> <!-- Enable or disable signing of Logout Request messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-logoutrequest" value="true"/> <!-- Enable or disable signing of Logout Response messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-logoutresponse" value="true"/> </Features> </SamlIdentityProvider> <!-- Sample Shibboleth Identity provider definition. --> <SamlIdentityProvider entityId="https://st.shibboleth.axway.int/" metadataUrl="./shibboleth-idp-metadata.xml" verifyAssertionExpiration="false" userNameAttribute="urn:oid:0.9.2342.19200300.100.1.1" sign="true" > <!-- Mappings tag is optional --> <Mappings> <!-- Filter mapping is optional. --> <FilterMapping> <Filter>(department=R&D)</Filter> <OutputAttribute name="rolename">Developer</OutputAttribute> </FilterMapping> <!-- A system attributes mapping. --> <RenameMapping source="email" target="fdxEmail" /> <RenameMapping source="uid" target="fdxUid" /> <RenameMapping source="gid" target="fdxGid" /> <RenameMapping source="homeDir" target="fdxHomeDir" /> <!-- Custom attributes mapping (optional).--> <RenameMapping source="department" target="department" /> <RenameMapping source="username" target="username" /> <RenameMapping source="full name" target="fullName" /> <RenameMapping source="last name" target="lastName" /> </Mappings> <!-- Features control specific behaviour of SAML message processing. --> <Features> <!-- Allows interaction with the IdP by plain HTTP. Default: false. --> <Feature key="saml-allow-http-connection" value="false"/> <!-- Allows unsigned assertions in messages received from the Identity Provider. Default: false. --> <Feature key="saml-allow-unsigned-assertion" value="false"/> <!-- Enable or disable the signature verification of the metadata file and the certification path of the certificate used to sign. Set to false if metadata file is not signed. Default: true. --> <Feature key="saml-verify-metadata-signature" value="false"/> <!-- Enable or disable signing of Authentication Request messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-authnrequest" value="true"/> <!-- Enable or disable signing of Logout Request messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-logoutrequest" value="true"/> <!-- Enable or disable signing of Logout Response messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-logoutresponse" value="true"/> </Features> </SamlIdentityProvider> <!-- A Kerberos IdP sample definition. --> <KerberosIdentityProvider entityId="kerberos" configurationUrl="C:/Axway/SecureTransport/STServer/conf/sso/krb5-login.conf"> </KerberosIdentityProvider> </IdentityProviders> </SSOConfiguration> Related Links
Sample SSO configuration file for end-users <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!-- This is a sample file for SSO configuration for End-user component. --> <SSOConfiguration> <!-- Configures certificate validation. Validates the Service Provider and Identity Providers certificates specified in its configuration. Validation happens at start-up and at regular intervals. Optional. --> <!-- Attributes: 1) trustStoreInitializer - Set com.axway.st.server.sso.impl.TrustStoreInitializer value for trustStoreInitializer in order to use SecureTransport trust store. Recommended value: com.axway.st.server.sso.impl.TrustStoreInitializer 2) delayBetweenValidations - Defines at which interval certificates validation occurs, in hours. Default value is 3 hours. --> <CertificateValidation trustStoreInitializer="com.axway.st.server.sso.impl.TrustStoreInitializer" delayBetweenValidations="3"> </CertificateValidation> <!-- Configures the service provider. --> <!-- Main attributes: entityId - Sets the unique identifier of the service provider. This identifier is sent to the Identity Provider so it can know who is requesting an authentication or a logout. This identifier is used by the Identity Provider to differentiate what Service Provider is requesting an authentication or a logout. filteredUri - Specifies the URI of the authentication process entry point. The value must be /* logoutUri - Specifies the URI which triggers logout process. The value must be /logout. logoutRedirectUri - Specifies the URI to redirect to the initial logout message generated. In turn that message will be redirected to a Identity Provider. The value must be /logoutRedirect. keystoreInitializer - Configures key store to use. That key store keeps key-pairs taking part in authentication process. Set com.axway.st.server.sso.impl.KeyStoreInitializer value in order to use SecureTransport local key store. keyAlias - Specifies key alias of the private key used to decrypt SAML messages and assertions and to sign SAML messages and assertions. sessionIdCookieName - Sets the name of the cookie to store the SSO session identifier if sessions are managed by the SSO module. --> <ServiceProvider entityId="st.sso.enduser" filteredUri="/*" logoutUri="/logout" logoutRedirectUri="/logoutRedirect" keystoreInitializer="com.axway.st.server.sso.impl.KeyStoreInitializer" keyAlias="ssokey" sessionIdCookieName="STEndUserSsoCookie" useAppSessions="false" > <!-- Specifies an entry points for receiving SAML Assertions from the Identity Provider. The below tags are recommended. --> <AssertionConsumerService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="/saml2/sso/post"/> <AssertionConsumerService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="/saml2/sso/redirect"/> <AssertionConsumerService binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" location="/saml2/sso/paos"/> <SingleLogoutService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" location="/saml2/slo/post"/> <SingleLogoutService binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" location="/saml2/slo/redirect"/> <!-- Features tag is optional - Here are the default values --> <Features> <!-- Configures the session cookie whether to be set with Secure flag. Recommended value: true. --> <Feature key="secure-cookie" value="true" /> <!-- Type of unique identifier generator to use to assign ids to SAML messages. The value must be com.axway.st.server.sso.impl.UIDGenerator --> <Feature key="uid-generator" value="com.axway.st.server.sso.impl.UIDGenerator" /> </Features> <!-- Identity Provider resolution provides support for choosing the right Identity Provider based on configuration and run-time metadata. If such resolution is not present, the first Identity Provider is selected among ones specified under IdentityProviders element below. The supported ways to do that are by: 1) Query parameter provided by a user request (see the example below). 2) Header value provided by a user request. An example follow: <Header name="idp_id"> <Mapping value="keycloakIdp" entityId="https://st.keycloak.axway.int/" /> <Mapping value="shibbolethIdp" entityId="https://st.shibboleth.axway.int/" /> <Mapping value="kerbIdP" entityId="kerberos" /> </Header> In the example above if a user authentication request has header with name 'idp_id' and corresponding value equals to 'keycloakIdp', then Identity Provider with entityId equals to https://st.keycloak.axway.int/ will be chosen to authenticate the user agent. Note: Only one of these way can be done. --> <IdentityProviderResolution> <!-- Identity provider mapping using a query parameter. The name of query parameter resolution will be searched for in request parameters during runtime and its value should match to the value attribute of a Mapping element. If both query parameter name and value match, then corresponding entityId is used to select Identity Provider. Examples: 1) https://localhost/?idp_id=keycloakIdp in the below case will match the Identity provider with entityId=https://st.keycloak.axway.int/ 2) https://localhost/?idp_id=shibbolethIdp in the below case will match the Identity provider with entityId=https://st.shibboleth.axway.int/ 3) https://localhost/?idp_id=kerbIdP in the below case will match the Identity provider with entityId=kerberos --> <QueryParameter name="idp_id"> <!-- Note: The name of the query parameter/header should match the value of the ST configuration option LoginSettings.EndUser.SSO.idpResolverKey. --> <!-- Note: Ensure the name of the query parameter/header to be different than ST configuration option LoginSettings.EndUser.SSO.localIdpId in order to be able to configure selection of ST as local authentication provider and SSO Identity Providers. --> <Mapping value="keycloakIdp" entityId="https://st.keycloak.axway.int/" /> <Mapping value="shibbolethIdp" entityId="https://st.shibboleth.axway.int/" /> <Mapping value="kerbIdP" entityId="kerberos" /> </QueryParameter> </IdentityProviderResolution> <!-- This element is optional. Tenant resolution provides support for choosing the right Identity Provider based on configuration and run-time metadata. If both tenant resolution and identity provider resolutions are present, then tenant resolution takes precedence. Tenants are defined inside Identity Providers so resolving the IdP in turn will resolve a tenant. The supported ways to do that are by: 1) QueryParameter <QueryParameter name="idp_id"> <Mapping tenant="Axway" entityId="https://st.keycloak.axway.int/" /> <Mapping tenant="Sopra" entityId="https://st.shibboleth.axway.int/" /> <Mapping tenant="Apple" entityId="kerberos" /> </QueryParameter> 2) Header (example below) Notes: 1) Only one of these way can be done. 2) Header evaluation takes precedence on query parameter one. 3) If mapping is not present, IdentityProviderResolution is used. If IdentityProviderResolution is not present first listed IdP is used. --> <TenantResolution> <!-- Note: The name of the query parameter/header should match the value of the ST configuration option LoginSettings.EndUser.SSO.idpResolverKey. --> <!-- Note: Ensure the name of the query parameter/header to be different than ST configuration option LoginSettings.EndUser.SSO.localIdpId in order to be able to configure selection of ST as local authentication provider and SSO Identity Providers. --> <Header name="idp_id"> <Mapping tenant="Axway" entityId="https://st.keycloak.axway.int/" /> <Mapping tenant="Sopra" entityId="https://st.shibboleth.axway.int/" /> <Mapping tenant="Apple" entityId="kerberos" /> </Header> </TenantResolution> </ServiceProvider> <!-- Identity provider definitions. Configures various aspects of interaction with identity providers. --> <IdentityProviders> <!-- Main attributes: entityId - Sets the unique identifier of the service provider. This identifier is sent to the Identity Provider so it can know who is requesting an authentication or a logout. Add here EntityDescriptor entityID value, from the idpMetadata.xml metadataUrl - Specify the relative location of the metadata file. Specifies a relative location of the metadata file to sso-enduser.xml file. NOTE: ST does not support the metadata URL to be a HTTP site. configurationUrl - should be an absolute path to Kerberos configuration file. NOTE: ST does not support the configuration URL to be a network path. verifyAssertionExpiration - Turn on/off verification of the validity period of assertions. Consider to set to false if service provider and identity provider times are not synchronized. Default: true. sign - If set to true, all SAML messages and their assertions sent by the service provider will be signed. There are a couple of features (see below) for fine-grained control of signing. Optional - if not present, default value is false. userNameAttribute - Sets the name of the identity provider attribute that provides the user name. --> <!-- Sample Keycloak Identity provider definition. --> <SamlIdentityProvider entityId="https://st.keycloak.axway.int/" metadataUrl="./keycloak-idp-metadata.xml" verifyAssertionExpiration="false" sign="true"> <!-- Mappings tag is optional --> <Mappings> <!-- Filter mapping is optional. --> <FilterMapping> <Filter>(department=426 AXW RD SOFIA)</Filter> <OutputAttribute name="role">Developer</OutputAttribute> </FilterMapping> <!-- With this mapping, you can rename an attribute from the Identity Provider, keeping its value. --> <!-- A system attributes mapping. For email, UID, GID and homeDir ST expects the following renaming. --> <RenameMapping source="email" target="fdxEmail" /> <RenameMapping source="uid" target="fdxUid" /> <RenameMapping source="gid" target="fdxGid" /> <RenameMapping source="homeDir" target="fdxHomeDir" /> <!-- Custom attributes mapping examples (optional).--> <RenameMapping source="department" target="department" /> <RenameMapping source="username" target="username" /> <RenameMapping source="full name" target="fullName" /> <RenameMapping source="last name" target="lastName" /> </Mappings> <!-- Features control specific behavior of SAML message processing. --> <Features> <!-- Allows interaction with the IdP by plain HTTP. Default: false. --> <Feature key="saml-allow-http-connection" value="false"/> <!-- Allows unsigned assertions in messages received from the Identity Provider. Default: false. --> <Feature key="saml-allow-unsigned-assertion" value="false"/> <!-- Enable or disable the signature verification of the metadata file and the certification path of the certificate used to sign. Set to false if metadata file is not signed. Default: true. --> <Feature key="saml-verify-metadata-signature" value="false"/> <!-- Enable or disable signing of Authentication Request messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-authnrequest" value="true"/> <!-- Enable or disable signing of Logout Request messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-logoutrequest" value="true"/> <!-- Enable or disable signing of Logout Response messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-logoutresponse" value="true"/> </Features> </SamlIdentityProvider> <!-- Sample Shibboleth Identity provider definition. --> <SamlIdentityProvider entityId="https://st.shibboleth.axway.int/" metadataUrl="./shibboleth-idp-metadata.xml" verifyAssertionExpiration="false" userNameAttribute="urn:oid:0.9.2342.19200300.100.1.1" sign="true" > <!-- Mappings tag is optional --> <Mappings> <!-- Filter mapping is optional. --> <FilterMapping> <Filter>(department=R&D)</Filter> <OutputAttribute name="rolename">Developer</OutputAttribute> </FilterMapping> <!-- A system attributes mapping. --> <RenameMapping source="email" target="fdxEmail" /> <RenameMapping source="uid" target="fdxUid" /> <RenameMapping source="gid" target="fdxGid" /> <RenameMapping source="homeDir" target="fdxHomeDir" /> <!-- Custom attributes mapping (optional).--> <RenameMapping source="department" target="department" /> <RenameMapping source="username" target="username" /> <RenameMapping source="full name" target="fullName" /> <RenameMapping source="last name" target="lastName" /> </Mappings> <!-- Features control specific behaviour of SAML message processing. --> <Features> <!-- Allows interaction with the IdP by plain HTTP. Default: false. --> <Feature key="saml-allow-http-connection" value="false"/> <!-- Allows unsigned assertions in messages received from the Identity Provider. Default: false. --> <Feature key="saml-allow-unsigned-assertion" value="false"/> <!-- Enable or disable the signature verification of the metadata file and the certification path of the certificate used to sign. Set to false if metadata file is not signed. Default: true. --> <Feature key="saml-verify-metadata-signature" value="false"/> <!-- Enable or disable signing of Authentication Request messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-authnrequest" value="true"/> <!-- Enable or disable signing of Logout Request messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-logoutrequest" value="true"/> <!-- Enable or disable signing of Logout Response messages. Presence of this feature and its value overrides the meaning of sign attribute of IdentityProvider element above. --> <Feature key="saml-sign-logoutresponse" value="true"/> </Features> </SamlIdentityProvider> <!-- A Kerberos IdP sample definition. --> <KerberosIdentityProvider entityId="kerberos" configurationUrl="C:/Axway/SecureTransport/STServer/conf/sso/krb5-login.conf"> </KerberosIdentityProvider> </IdentityProviders> </SSOConfiguration>