Retrieves the federation configurations.
Entitlements required: readFederations (Read federations) or manageFederations (Manage federations) or manageAppAccessAdmin (Manage application lifecycle) or manageIdentitySources (Manage identity sources) or readIdentitySources (Read identity sources).
Note: You only need one entitlement, but you can have more than one.
The configuration properties that are used for the service provider federations are:
clockSkew
The tolerance in seconds when the received SAML assertion NotBefore and NotOnOrAfter is validated.
includeAllAttributes
Includes all attributes available in the SAML assertion, even if it is mapped to a standard IBM Security Verify attribute.
The includeAllAttributes property defaults to false.
skipTargetUrlValidation
Specify whether to skip targetURL validation.
allowedTargetUrls
Specify the allowed target URLs.
The configuration properties that are used for the identity provider federations are:
assertionValidAfter
The tolerance in seconds that are added to NotOnOrAfter when the SAML assertion is issued.
assertionValidBefore
The tolerance in seconds that are added to NotBefore when the SAML assertion is issued.
Configuration properties that are used for both the service provider and identity provider federations are:
messageValidTime
The tolerance in seconds when the received SAML message IssueInstant is validated.
crlEnabled
Checks the certificate revocation list. Checking is done for all functions that use an external certificate. If your configuration does not require CRL checking, you can disable it. For example, if you use an internal certificate authority (CA), you might want to disable CRL checking. The crlEnabled property defaults to false.
keySelectionCriteria
Specify which key or certificate to use for signing, validating, encrypting, or decrypting various messages. If there are multiple keys or certificates with the same Subject DN as the key or certificate with the specified alias, this setting determines which one to use. Use one of the following selection methods:
only.alias
Select the key or certificate with the specified alias. This method is the default.
longest.lifetime
For signing, a valid key with the longest lifetime is used. For validation, keys that share the same SubjectDN are sorted based on lifetime availability. Starting with the key that has the longest lifetime availability, the keys are tried sequentially until validation is successful.
shortest.lifetime
For signing, a valid key with the shortest lifetime is used. For validation, keys that share the same SubjectDN are sorted based on lifetime availability. Starting with the key that has the shortest lifetime availability, the keys are tried sequentially until validation is successful.
defaultNameIDFormat
Specify the nameID format to be used when there's no nameID format specified in SSO query parameter or message. Use one of the following nameID formats for identity provider federation:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Use one of the following nameID formats for service provider federation:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Note: The crlEnabled and keySelectionCriteria fields are not shown in the GET response until they are updated.
The response looks like this:
[
{
"name": "saml20ip",
"messageValidTime": 300,
"assertionValidBefore": 300,
"assertionValidAfter": 300,
"crlEnabled": true,
"keySelectionCriteria": "only.alias",
"defaultNameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"role": "ip"
},
{
"name": "saml20sp",
"messageValidTime": 300,
"clockSkew": 0,
"includeAllAttributes": false,
"crlEnabled": true,
"keySelectionCriteria": "only.alias",
"defaultNameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"role": "sp"
}
]
get https://{tenanturl}/v1.0/saml/federations