SAML config parameters
- 05 Feb 2025
- 3 Minutes to read
- Print
SAML config parameters
- Updated on 05 Feb 2025
- 3 Minutes to read
- Print
Article summary
Did you find this summary helpful?
Thank you for your feedback
Default
CustomerCode Required
Default: string.Empty
Users is mapped to the given customer (Applikation).
CustomerLoginType Required
Default: string.Empty
If there is a specific implementation for a customer, please use this login type. However, in general, the value should be Generic.
CmsPageUrl Required
Default: string.Empty
Example:
https://gf-server.com/gv2/gf/GFWebHtml/CMS/index.html#externalThe URL to the IXM Platform. Since version 11.16.0, this parameter can be overridden by setting a value for the parameter LoginSuccessRedirectUrl.
GrassfishSignature Optional
Default: string.Empty
Example:
C:\GVServer2\configs\Saml\grassfish-certificate.pfxIf set, this certificate is loaded to sign the SAML response.
GrassfishSignaturePassword Optional
Default: string.Empty
Password of the GrassfishSignature certificate.
ServiceProviderIssuerOverride Optional
Default: string.Empty
Example:
http://custom-issuer/If set, this issuer is used during the Authn-Request, otherwise the absolute URL of the SamlLogin-web application is used.
ServiceProviderEntityID Optional
Default: value from MainServerURL otherwise string.Empty
This value is used for the EntityId in the grassfish-metadata.xml file.
ServiceProviderDescriptorID Optional
Default: 09C6524B01AA4657BAB26C0970BFF497
This value is used for the Id in the grassfish-metadata.xml file.
IdentityProviderMetadata Optional
Default: string.Empty
Example:
C:\GVServer2\SAML\idp_metadata.xmlIf set, this metadata XML is used (locally or over HTTP; we recommend locally) to validate the identity provider responses. This is the default for the SAML setup.
SignOnUrl Required
Default: string.Empty
Example:
https://idp-domain/idp-endpointThe Authn-Request is sent against this URL. The user logs in at the identity provider.
IdentityProviderSignature Optional
Default: string.Empty
Example:
C:\GVServer2\SAML\idp_signature.pemIf set, this certificate is loaded to validate the identity provider's signature. Typically, you don’t need this setting because the certificate is included in the identity provider's metadata file.
ResponseDecryptCertificate Optional
Default: string.Empty
Example:
C:\GVServer2\SAML\idp_decrypt.pemIf set, this certificate is used to decrypt the SAML-Assertions.
ResponseDecryptCertificatePassword Optional
Default: string.Empty
Password of the ResponseDecryptCertificate certificate.
AssertionConsumerUrlOverride Optional
Default: string.Empty
Example:
http://sp-domain/custom-consumerIf set, the AssertionConsumerServiceUrl is used during the authn request, otherwise the absolute URL of
SamlLogin/Consumer.aspxis used.UseSHA256 Optional
Default: true
If true, SHA256 is used to sign the requests, otherwise SHA1 is used.
LoginSuccessRedirectUrl Required
Default: string.Empty
Example:
https://<IXM-Platform-URL>/gv2/gf/GFWebHtml/cms/index.html#external?autologin=bysession&sh=@@sh@@&cid=@@customerId@@&userID=@@userId@@&customerName=@@customerCode@@"/>The URL template for the redirect URL to the IXM Platform. If this parameter is set, it overrides the default parameter CmsPageUrl. The server automatically replaces reserved keywords such as @@customerCode@@. Special characters in the URL template must be url encoded. The following keywords are supported:
Keyword | Replaced with | Version |
|---|---|---|
@@sh@@ | Session hash | Available in 11.16 and later |
@@userId@@ | User ID | Available in 11.16 and later |
@@customerId@@ | Customer ID | Available in 11.16 and later |
@@customerCode@@ | Customer code | Available in 11.16 and later |
@@customerName@@ | Customer name | Available in 11.16 and later |
Generic Login
User settings
Generic.ExternalUserIdAttribute Optional
Default: string.Empty
If set, this Assertion-Attribute is used to map and identify the user in the IXM Platform. Otherwise, Assertion.Subject.NameId is used.Generic.EmailAttribute Required
Default: string.Empty
This Assertion-Attribute is used to set the email address of the user in the IXM Platform.Generic.FirstNameAttribute Required
Default: string.Empty
This Assertion-Attribute is used to set the first name of the user in the IXM Platform.Generic.LastNameAttribute Required
Default: string.EmptyThis Assertion-Attribute is used to set the last name of the user in the IXM Platform.
Generic.ExtendUserValidityInDays Optional
Default: 0
If the value is greater than 0, the validity of the user is set to today + Generic.ExtendUserValidityInDays.CreateUserIfNotExists Optional
Default: true
If true, the user is created in the IXM Platform if they don’t exist yet, and the Auth-Request against the identity provider was successful.
If false, the user must exist in the IXM Platform or the login doesn’t work.
Language settings
Generic.UseBrowserLanguage Optional
Default: false
If true, the system tries to use the browser language in the IXM Platform. Otherwise, it uses Generic.PreferredLanguageAttribute first and Generic.PreferredLanguage as a fallback.Generic.PreferredLanguageAttribute Optional
Default: string.Empty
If set, the IXM Platform language is taken from the provided Assertion-Attribute.Generic.PreferredLanguageValue Optional
Default: en
If no other language option is set, this language is used in the IXM Platform.
Customer settings
Generic.CustomerCodeAttribute or Generic.CustomerCodeValue is required.
Generic.CustomerCodeAttribute Optional
Default: string.Empty
If set, the CustomerCode of the user is taken from the provided Assertion-Attribute. Otherwise, Generic.CustomerCodeValue is used.Generic.CustomerCodeValue Optional
Default: string.Empty
If Generic.CustomerCodeAttribute is empty, this CustomerCode is used for the login.
Permission settings
Generic.PermissionGroupAttribute or Generic.PermissionGroupValue is required.
Generic.UpdatePermissionGroupForExistingUsers Optional
Default: false
If true, the permission group is overwritten during every login of the user.Generic.PermissionGroupAttribute Optional
Default: string.Empty
If set, this Assertion-Attribute is used to set the permission group of the user.Generic.PermissionGroupValue Optional
Default: string.Empty
If Generic.PermissionGroupAttribute is empty, the user gets this permission group.
User group settings
Generic.UserGroupAttribute or Generic.UserGroupValue is required.
Generic.UpdateUserGroupsForExistingUsers Optional
Default: false
If true, the user groups is reassigned to the user during every login.ClearUserGroupsForExistingUsers Optional
Default: false
If true, all user groups of the user are cleared before assigning new user groups.Generic.UserGroupAttribute Optional
Default: string.Empty
If set, this Assertion-Attribute is used to set the user groups of the user.Generic.UserGroupValue Optional
Default: string.Empty
If Generic.UserGroupAttribute is empty, the user gets these user groups.Generic.UserGroupDelimiter Optional
Default: string.Empty
If set, this delimiter is used to assign multiple user groups to the user.
Log settings
DebugSaveSamlAttributes Optional
Default: false
If true, the assertion is available in the log file with LogLevel 5.DebugSaveSamlResponse Optional
Default: false
If true, the SAML response is available in the log file with LogLevel 3.EnableSamlTraceLog Optional
Default: false
If true, the system logs the SAML trace into the log file located in the SAML log directory under saml_trace.
.png?sv=2022-11-02&spr=https&st=2025-02-05T22%3A54%3A19Z&se=2025-02-05T23%3A09%3A19Z&sr=c&sp=r&sig=K4KPSUyv2SujM6L1OlR7IugJDDMaHvcGeJR8TAwxUh0%3D)