Session Manager Configuration
Configurations within the Satellite Configuration Group.
Configurations within the Satellite Configuration Group.
Element: config
Configures a session manager service.Attributes:
@version [ required | fixed: 1 ]
Children:
- all of these elements:
- [0, 1] '→session'
» Configure session managment - [0, 1] '→validations'
» Define validation rules - [0, 1] '→compatibility'
» Configure backward compatibility
- [0, 1] '→session'
Element: session
Configure session managment
Attributes:
@timeout ↦ nonNegativeInteger
Session cookie timeout
@threshold ↦ nonNegativeInteger
Session cookie threshold
@secret ↦ hexBinary (length: 32)
Session cookies en-/decryption key
@cookie ↦ string
(deprecated: use element 'session-cookie') Session cookie name (default: 'OCCSession')
@filter ↦ string
XPath filter to apply to user asset query
@forceSSL ↦ boolean
(deprecated: use element 'session-cookie') Set session / remember cookie to secure only.
@same-site ↦ { NONE | STRICT | LAX }
(deprecated: use element 'session-cookie') set same site settings for session cookie / remember cookie. Setting this requires RFC6265 used in Webserver configuration (compatibility@cookie-compliance="RFC6265")
@user-asset-type [ default: person.webuser. ] ↦ string
Asset type of user asset.
@remember-cookie ↦ string
(deprecated: use element 'remember-cookie') Remember cookie name
@remember-expiry-in-days ↦ nonNegativeInteger
Remember cookie validity duration
@password-recovery-timeout ↦ nonNegativeInteger
Validity duration for password recovery keys as seconds (default = 172800s = 2d)
@domain ↦ string
Cookies domain to set if matching request.
@path ↦ string
(deprecated: use 'XXX-cookie' elements) Cookies path to set (default: '/')
@check-asset [ default: false ] ↦ boolean
Session requires user asset.
@attributes-cookie ↦ string
(deprecated: use element 'attributes-cookie') Data cookie name
@attributes-expiry-in-days [ default: 365 ] ↦ nonNegativeInteger
(deprecated: use element 'attributes-cookie') Data cookie validity duration.
@attribute-cookie-ssl-only [ default: false ] ↦ boolean
(deprecated: use element 'attributes-cookie') Set cookie to secure only.
@attribute-cookie-http-only [ default: false ] ↦ boolean
(deprecated: use element 'attributes-cookie') Set cookie to http only.
@attribute-cookie-same-site ↦ { NONE | STRICT | LAX }
(deprecated: use element 'attributes-cookie') set same site settings for attribute cookie
@blacklist-session-on-logout [ default: false ] ↦ boolean
save session ids / remember ids on user asset, so session can't be reused after logout
@add-sessionid-to-mdc [ default: false ] ↦ boolean
add session id to logging context
@update-stored-password-on-login [ default: false ] ↦ boolean
update password on successfull login if hashing method is deprecated
@login-email-fallback [ default: true ] ↦ boolean
enable/disable login fallback to email address, enabled by default. in this case provider specific login name (id provided by provider) AND 'website' login (email addres) are searched.
Children:
- all of these elements:
- [0, 1] '→session-cookie'
» configure session cookie settings - [0, 1] '→remember-cookie'
» configure session cookie settings - [0, 1] '→attributes-cookie'
» configure session cookie settings - [0, 1] '→auth-providers'
» Configure available auth providers.
- [0, 1] '→session-cookie'
Inner element: session/attributes-cookie
content: cookie-persistent
configure session cookie settings
Inner element: session/remember-cookie
content: cookie
configure session cookie settings
Inner element: session/session-cookie
content: cookie
configure session cookie settings
Element: auth-providers
Configure available auth providers.
Children:
- [0, n] choice of these elements:
- [1, 1] '→oauth'
» Configure authentication by social media account. - [1, 1] '→certificate'
» Configure authentication by client cetificates. - [1, 1] '→local'
» Configure authentication by userid/password. - [1, 1] '→server'
» Configure authentication by server side userid/password check. - [1, 1] '→chaining'
» Chain configured authentication providers to use with userid/password. - [1, 1] '→censhare-web'
» Configure authentication by censhare client. - [1, 1] '→saml'
» Configure authentication by SAML2 service. - [1, 1] '→custom'
» Configure authentication for custom implementation.
- [1, 1] '→oauth'
Element: saml
Attributes:
@id [ required ] ↦ string
login-type on asset reference to asset/asset_feature[@feature='censhare:address']/asset_feature[feature='@censhare:address.user-type']/@value_key
@autocreate [ default: true ] ↦ boolean
@sp-id ↦ string
id of this site (service provider id)
@idp-url ↦ string
url endpoint of idp
@mapper ↦ string
optional attribute mapper referencing java class extending type com.censhare.oc.components.user.auth.api.SAMLAttributeMapperFactory
an default implementation is provided looking for the following assertion attributes is provided:
- TEXT
firstname
1. urn:oid:2.5.4.42<br/>
1. firstname<br/>
1. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname<br/>
- TEXT
lastname
1. urn:oid:2.5.4.4<br/>
1. lastname<br/>
1. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname<br/>
- TEXT
email
1. urn:oid:1.2.840.113549.1.9.1<br/>
1. email<br/>
1. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
you may want to override this implementation by registering your own
com.censhare.oc.components.user.auth.api.SAMLAttributeMapperFactory
in OSGi e.g: com.censhare.oc.demo.site.DemoSAMLMapperFactory. @max-age-auth-response [ default: 2000 ] ↦ positiveInteger
maximum age of auth reponse in ms
@check-assertion-signature [ default: true ] ↦ boolean
check signature of assertions (idp-certificate required)
@check-logout-request-signature [ default: true ] ↦ boolean
check signature of logout request (idp-certificate required)
@check-logout-response-signature [ default: true ] ↦ boolean
check signature of logout response (idp-certificate required)
@handle-redirect-target [ default: false ] ↦ boolean
set to true if the redirect target should be transfered via relay state, this needs to be set to true if the generated provider definition is used.
@global-logout [ default: true ] ↦ boolean
enable global logout (static endpoint)
@name-id-type [ default: PERSISTENT ] ↦ { PERSISTENT | EMAIL | UNSPECIFIED }
@auth-request-binding [ default: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect ] ↦ { urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST }
binding type (REDIRECT or POST)
Children:
- sequence of these elements:
- [0, 1] '→auth'
- [0, 1] '→signing'
» parameters regarding signing - [0, 1] '→encryption'
- [0, n] '→idp-certificate'
Inner element: saml/idp-certificate
Children:
- sequence of these elements:
- [1, n] '→pem'
Inner element: saml/idp-certificate/pem
content: string
Inner element: saml/signing
parameters regarding signing
Attributes:
@auth-request [ default: true ] ↦ boolean
sign auth request
@auth-request-sign-inline [ default: true ] ↦ boolean
inline xml signature
@signing-algorithm [ default: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 ] ↦ { http://www.w3.org/2000/09/xmldsig#rsa-sha1 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha224 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 }
@canonicalization-algorithm [ default: http://www.w3.org/2001/10/xml-exc-c14n# ] ↦ { http://www.w3.org/2001/10/xml-exc-c14n#WithComments | http://www.w3.org/2001/10/xml-exc-c14n# | http://www.w3.org/2006/12/xml-c14n11#WithComments | http://www.w3.org/2006/12/xml-c14n11 | http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments | http://www.w3.org/TR/2001/REC-xml-c14n-20010315 }
@digest-algorithm ↦ { http://www.w3.org/2001/04/xmlenc#sha256 | http://www.w3.org/2001/04/xmlenc#sha384 | http://www.w3.org/2001/04/xmlenc#sha512 }
Children:
- all of these elements:
- [1, 1] '→pem'
» Provide certificates/keys content.
- [1, 1] '→pem'
Inner element: saml/signing/pem
content: string
Provide certificates/keys content.
Attributes:
@password ↦ string
password for key decryption
Inner element: saml/auth
Attributes:
@comparison [ default: MINIMUM ] ↦ { MINIMUM | EXACT | MAXIMUM | BETTER }
@force-auth ↦ boolean
@auth-context-classes-enabled [ default: true ] ↦ boolean
Children:
- sequence of these elements:
- [0, n] '→auth-class'
Inner element: saml/auth/auth-class
Attributes:
@ref [ required ] ↦ string
Inner element: saml/encryption
Children:
- all of these elements:
- [1, 1] '→pem'
» Provide certificates/keys content.
- [1, 1] '→pem'
Inner element: saml/encryption/pem
content: string
Provide certificates/keys content.
Attributes:
@password ↦ string
password for key decryption
Element: certificate
Attributes:
@id [ required ] ↦ string
Provide a custom id for service.
@autologin [ default: true ] ↦ boolean
Login users automatically.
@autocreate [ default: true ] ↦ boolean
Create new user account from certificate data automatically.
@idfield ↦ { cn }
Certificate field used as user id value.
Element: oauth
Configure oauth provider service
Attributes:
@id [ required ] ↦ string
Provide a custom id for service.
@apikey [ required ] ↦ string
API authentication key
@apisecret [ required ] ↦ string
API authentication password
@type [ required ] ↦ { twitter | facebook | xing | gplus | linkedin }
Select real provider.
@autocreate [ default: true ] ↦ boolean
Create new user accounts from data automatically.
Element: custom
Define and configure custom oauth provider service implementationAllow custom attributes
Attributes:
@id [ required ] ↦ string
Provide a custom id for service.
@class [ required ] ↦ string
Provide custom 'com.censhare.oc.system.site.OCSessionManager.AuthProvider' implementation.
@{anyAttribute}
any additional attribute allowed
Children:
- [0, n] choice of these elements:
Element: local
Configure 'censhare:address.user-type' value to use for local account login data
Attributes:
@id [ required | fixed: website ]
Element: chaining
Provide list of services to try username password on.
Attributes:
@id [ required ] ↦ string
Provide a custom id for service.
Children:
- [0, n] choice of these elements:
- [1, 1] '→local'
- [1, 1] '→server'
Element: server
Configure authentication by server side userid/password check.
Attributes:
@id [ required ] ↦ string
Provide a custom id for service.
@method ↦ { custom | censhare-dh | }
- custom uses custom login method (also used in client e.g. ldap login)
- censhare-dh do not use
- uses default server login method - local login
Element: censhare-web
Configure authentication by censhare client.
Attributes:
@id [ required ] ↦ string
Provide a custom id for service.
Element: validations
Define validation rules
Children:
- choice of these elements:
- [0, n] '→validation'
Element: validation
Define a validation set for a 'target'
Attributes:
@target [ required ] ↦ { password }
- password Test rule again user's password.
@min-match [ required ] ↦ integer
Define amount of rules to match for success
@name ↦ string
Provide an identifier for this rule set
Children:
- choice of these elements:
- [1, n] '→patternrule'
» Include rules
- [1, n] '→patternrule'
Element: patternrule
Defines a single rule to test.
Attributes:
@pattern [ required ] ↦ string
The reg-ex pattern defining the test.
@name ↦ string
Provide an identifier for this rule.
Element: compatibility
Attributes:
@legacy-cookie-value-encoding [ default: false ] ↦ boolean
Use legacy encoding for cookie data, (default: base64, ASCII).
The Session Manager Configuration configures a standard session manager instance.
Multiple Session Manager Configurations may be present to configure different session managers.
Hints:
- If cookies with SameSite attribute are used by the CommunitySessionManager, the WebServer necessarily needs to have cookie compliance level set to RFC6265.
Session Manager Configuration: session/[attributes-cookie|remember-cookie|session-cookie]/@same-site="[NONE|STRICT|LAX]" WebServerConfiguration:
compatibility/@cookie-compliance="RFC6265"