10-42 Oracle Fusion Middleware Security and Administrators Guide for Web Services To add a property, click Add and enter a property name and value in the Add New Property window. Click OK to add the property to the Custom Properties list. To change the value of an existing property, you need to delete the property from the Custom Properties list and add a new property with the revised value. Table 10–1 lists the SAML and Kerberos login modules and describes properties that you can configure. Table 10–1 SAML and Kerberos Login Modules Attributes and Properties Login Module Service Name Property Description saml.loginmodule saml2.loginmodule oracle.security.jps.assert.saml.ide ntity A domain-wide property used to determine the mapping between the SAML subject and the user. Valid values include: ■ false—When this flag is set to false, the username in the SAML subject is mapped to the actual user in the identity store. The user roles and subject are created with username and roles specified in the identity store. This is the default. ■ true—When this flag is set to true, the SAML subject is treated as a logicalvirtual user. The user is not mapped to the actual user in the identity store. The subject is populated only with the username from the SAML subject. Because the subject is treated as a virtual user, identity store configuration is not required and the Identity Assertion Provider is not invoked for all SAML policies in the domain using this login module. oracle.security.jps.add.assertion.t o.subject Boolean flag used to indicate whether the SAML assertion should be added to the authenticated subject as a private credential. The default is true. krb5.loginmodule principal The name of the principal that should be used. It can be a simple username, such as testuser, or a service name such as hosttesthost.eng.sun.com. You can use the principal option to set the principal when there are credentials for multiple principals in the keyTab or when you want a specific ticket cache only. Setting Up Your Environment for Policies 10-43 Configuring SAML The SAML standard defines a common XML framework for creating, requesting, and exchanging security assertions between software entities on the Web. The SAML Token profile is part of the core set of WS-Security standards, and specifies how SAML assertions can be used for Web services security. SAML also provides a standard way to represent a security token that can be passed across the multiple steps of a business process or transaction, from browser to portal to networks of Web services. If you use any of the following predefined policies, you must configure SAML: ■ oraclewss_saml_token_bearer_over_ssl_server_policy ■ oraclewss_saml_token_bearer_over_ssl_client_policy ■ oraclewss_saml_token_over_ssl_service_policy ■ oraclewss_saml_token_over_ssl_client_policy ■ oraclewss10_saml_token_service_policy ■ oraclewss10_saml_token_client_policy ■ oraclewss10_saml20_token_service_policy ■ oraclewss10_saml20_token_client_policy ■ oraclewss10_saml_token_with_message_protection_client_policy ■ oraclewss10_saml_token_with_message_protection_service_policy ■ oraclewss10_saml20_token_with_message_protection_client_policy ■ oraclewss10_saml20_token_with_message_protection_service_policy ■ oraclewss10_saml_token_with_message_protection_ski_basic256_client_policy useKeyTab True or false. Set this to true if you want the module to get the principals key from the keytab default value is False. If keytab is not set, then the module will locate the keytab from the Kerberos configuration file. If it is not specified in the Kerberos configuration file then it will look for the file {user.home}{file.separator}krb5.keytab. storeKey Set this to True to if you want the principals key to be stored in the Subjects private credentials. keyTab Set this to the file name of the keytab to get principals secret key. doNotPrompt Set this to true if you do not want to be prompted for the password if credentials cannot be obtained from the cache or keytab default is false. If set to true, authentication will fail if credentials cannot be obtained from the cache or keytab. Table 10–1 Cont. SAML and Kerberos Login Modules Attributes and Properties Login Module Service Name Property Description