restSTS.properties revision dba6264e760052e4f42a5114d2690f1e188cb767
#This file defines the I18N Keys referenced in restSTS.xml. However, the ViewBean context for the restSTS.xml is delegated
#to the RestSTSEditViewBean class, and the propertyRestSecurityTokenService.xml file, which defines I18N keys defined
#in amConsole.properties. I believe that the contents of this file are superfluous - though it cannot be removed, as
#this causes the UI generation process to break. Its contents are out of sync with the keys defined in
#propertyRestSecurityTokenService.xml and the corresponding values defined in amConsole.properties.
rest_security_token_service_description=REST Security Token Service
am_deployment_url=The url corresponding to the OpenAM deployment
issuer_name=The name of the issuer.
issuer_name.help=This name will appear in some issued tokens - e.g. in the saml:Issuer of issued SAML2 assertions.
deployment_realm=The realm in which the REST STS instance will be deployed.
deployment_url_element=The final element in the url defining the REST STS endpoint
deployment_url_element.help=For example, the restSTS1 element in http://host.com:80/openam/realm1/realm2/restSTS1
deployment_auth_target_mappings=For each validated token type (other than OpenAM), the REST authN elements which will validate token instances
deployment_auth_target_mappings.help=Entry format: TokenType;authIndexType;authIndexValue;context_key=context_value,context_key1=context_value1. \
The context_key=context_value entries are optional.
deployment_auth_target_mappings.help.txt=Some authN modules require additional state: for example, the OpenID Connect \
authN module expects the IdToken in a specific header. The final key=value entry following the final ';' stipulates \
this context. The key must be oidc_id_token_auth_target_header_key, and the value corresponding to the header value \
configured for the OpenID Connect authN module.
deployment_offloaded_two_way_tls_header_key=Client Certificate Header Key
deployment_offloaded_two_way_tls_header_key.help.txt=Token transformation which take X509 Certificates as the input token require that \
the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. \
A standard means of obtaining the client certificate presented via two-way TLS is via the javax.servlet.request.X509Certificate \
attribute in the ServletRequest. However, in TLS-offloaded deployments, the TLS-offloader must communicate the client \
certificate to its ultimate destination via an Http header. If this rest-sts instance is to support token transformations \
with X509 Certificate input, and OpenAM will be deployed in a TLS-offloaded context, then this value must be set to the \
header value which the TLS-offloading engine will use to set client certificates presented via the TLS handshake.
deployment_tls_offload_engine_hosts=Trusted Remote Hosts
deployment_tls_offload_engine_hosts.help.txt=Token transformation which take X509 Certificates as the input token require that \
the X509 Certificate be presented via two-way TLS, so that the TLS handshake can validate client certificate ownership. \
If OpenAM is deployed in a TLS-offloaded environment, in which the TLS-offloader must communicate the client certificate \
to the rest-sts via an Http header, this certificate will only be accepted if the ip address(es) of the TLS-offload engines \
are specified in this list. Specify 'any' if a client certificate can be presented in the specified header by any rest-sts \
client.
supported_token_transforms=Listing of support token transformations
supported_token_transforms.help=Entry format:input_token_type;output_token_type;{true|false}, where true|false indicates \
whether the interim OpenAM session is invalidated following token issuance.
supported_token_transforms.help.txt=Example: for the transform USERNAME:SAML2, it is likely that the OpenAM session \
generated as part of validating the USERNAME token should be invalidated, and thus the config entry would be \
USERNAME;SAML2;true. If this value is false, each USERNAME->SAML2 transformation will result in a 'left-over' OpenAM session. \
Note that currently, any transformation which starts with an OPENAM session, e.g. OPENAM;SAML2, will not invalidate \
this OPENAM session, as it was not created as part of the token transformation.
saml2_keystore_filename=The full path to the keystore, either on the classpath, or on the filesystem.
saml2_keystore_password=The password to the keystore specified above
saml2_keystore_signature_key_alias=The alias identifying the private key entry used to sign issued tokens
saml2_keystore_signature_key_password=The password corresponding to the signature key alias, if any
saml2_keystore_encryption_key_alias=
saml2_name_id_format=SAML2 name ID format
saml2_name_id_format.help=The default value is urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
saml2_name_id_format.help.txt=See section 8.3 of <a href="http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf" target="_blank">\
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0</a> for details on possible values.
saml2_token_lifetime_seconds=SAML2 token lifetime
saml2_token_lifetime_seconds.help=Set to over-ride the default of 600 (10 minutes).
saml2_custom_conditions_provider_class_name=Class name of custom conditions provider (optional)
saml2_custom_subject_provider_class_name=Class name of custom subject provider (optional)
saml2_custom_authentication_statements_provider_class_name=Class name of custom authentication statements provider (optional)
saml2_custom_authz_decision_statements_provider_class_name=Class name of custom authorization decision statements provider (optional)
saml2_custom_attribute_mapper_class_name=Class name of custom attribute mapper (optional)
saml2_custom_authn_context_mapper_class_name=Class name of custom authentication context mapper (optional)
saml2_canonicalization_algorithm=Canonicalization algorithm (optional)
saml2_signature_algorithm=Specify a custom signature algorithm (optional)
saml2_signature_algorithm.help=If no custom algorithm is specified, either http://www.w3.org/2000/09/xmldsig#dsa-sha1 or \
http://www.w3.org/2000/09/xmldsig#rsa-sha1 is used, depending upon the type of the private key
saml2_attribute_map=Specification of mapped attributes
saml2_attribute_map.help.txt=Contains the mapping of saml attribute names (Map keys) to local OpenAM attributes (Map values) in \
various stores. The DefaultAttributeMapper looks at profile attributes in various places: \
LDAP or SQL, depending on data store setup, or in Session properties. The keys will define the name of the attributes \
included in the Assertion Attribute statements, and the data pulled from the subject's directory entry or session state \
corresponding to the map value will define the value corresponding to this attribute name. If the attribute value is \
enclosed in quotes, that quoted value will be included in the attribute without mapping. Binary attributes should be \
followed by ';'.