A-Select protocol profile

Since: 1.4 (Previous version: 1.1 )

To enable the A-Select profile it is required to add the configuration described in the upcoming paragraphs to the OpenASelect Server configuration (oa.xml).

A-Select Profile

The A-Select profile requires the following configuration to be added within the <profiles></profiles> section of the OA configuration.

<profile id="aselect" class="com.alfaariss.oa.profile.aselect.processor.ASelectProcessor" >

	<redirect_url>[redirect_url]</redirect_url>

	<!-- Optional WebSSO configuration -->

	<!-- Optional Error configuration -->

	<!-- A-Select WS configuration -->

	<requesthandlers>
		<sp enabled='[enabled]' app_level='[requestor_level]'>
			<!-- Optional Requestorpool configuration -->
		</sp>
		<idp enabled='[enabled]' app_level='[requestor_level]'
			<!-- Optional Requestorpool configuration -->
		</idp>
	</requesthandlers>

	<!-- Authentication configuration -->

	<!-- Optional Logout configuration -->

</profile>

• [redirect_url] (optional) The url that must be used to redirect the user to, e.g. 'http://localhost:8080/openaselect/profiles/aselect'.
• [enabled] (optional) Indicates whether service providers are enabled. Default: TRUE.
• [requestor_level] The default level of all service providers.

WebSSO Settings

The following web sso configuration is optional.

<websso>
	<path>[websso_path]</path>
	<url>[websso_url]</url>
</websso>

• [websso_path] (optional) The path of the WebSSO that is used to forward to, after processing by the profile. Default: '/sso'.
• [websso_url] (optional) The URL of the WebSSO ('http://localhost:8080/openaselect/sso'). Default the profile does only use forwards.

Error

The following error handling configuration is optional.

<error>
	<jsp path='[error_jsp]'/>
	<handling local='[local_boolean]'/>
</error>

• [error_jsp] (optional) The path to the error JSP page. Default: '/ui/profiles/aselect/error.jsp'.
• [local_boolean] (optional) If set to 'true' all errors are processed by the OpenASelect Server itself, Default: FALSE.

Instead the following item can be configured as property in the requestorpool as part of the business model so they can be stored in the internal database.

property name	property value
aselect.local_error_handling	[local_boolean]

A-Select WS

A-Select WS support is optional and default disabled.

<ws enabled='[ws_boolean]' force_requestor_id='[force_boolean]'/>

• [ws_boolean] (optional) Indicates whether the A-Select web service is enabled. Default: FALSE.
• [force_boolean] (optional) Indicates whether the requestor identifier is forced. Default: FALSE.

Note: The optional [redirect_url] is mandatory when using A-Select WS.

Requestorpool

<requestorpool id='[requestorpool_id]'>
	<signing enabled='[signing_enabled]' />
	<app_level>[application_level]</app_level>
	<uid attribute='[user_attribute]'>
		<opaque enabled='[opaque_boolean]' salt='[opaque_salt]'/>
	</uid>
</requestorpool>

• [requestorpool_id] The unique requestorpool identifier.
• [signing_enabled] (optional) Indicates whether the signing is enabled for this requestor.
• [application_level] (optional) The application level for this specific requestor.
• [user_attribute] (optional) The attribute that will be released as user ID for this requestor.
• [opaque_boolean] (optional) Indicates whether the opaque user id functionality is enabled for this requestor.
• [opaque_salt] (optional) If enabled, the salt value for this requestor.

Instead these configuration items can be configured as properties in the requestorpool as part of the business model so they can be stored in the internal database.

property name	property value
aselect.sign.requests	[signing_enabled]
aselect.app_level	[application_level]
aselect.uid.attribute	[user_attribute]
aselect.uid.opaque.enabled	[opaque_boolean]
aselect.uid.opaque.salt	[opaque_salt]

Authentication

<authentication authsp_level='[default_authsp_level]'>	
	<profile id='[authsp_profile_id]' authsp_level='[authsp_level]' />
</authentication>

• [default_authsp_level] The default level of all the authentication providers.
• [authsp_profile_id] The unique authentication provider identifier.
• [authsp_level] (optional) The authentication level for this specific authentication provider.

Instead the authsp_level can be configured as property in the authentication profile as part of the business model so it can be stored in the internal database.

property name	property value
aselect.authsp_level	[authsp_level]

Logout

To following (partly optional) configuration is for sending synchronous logout requests to requestors. When the logout section is not available the logout is enabled and the defaults apply, but logout requests will only be sent when a valid logout entry point is configured as requestor property. Sending synchronous logout requests to SP's requires the SP role alias store to be enabled, more information about how to enable this alias store can be found in the TGT storage configuration reference.

<logout enabled="[enabled]">
	<http>
		<connection_timeout>[connection_timeout]</connection_timeout>
		<socket_timeout>[socket_timeout]</socket_timeout>
	</http>
</logout>

• [enabled] (optional) Configure FALSE when sending synchronous requests must be disabled. Default: TRUE.
• [connection_timeout] (optional) The connection timeout in milliseconds. Default: not used
• [socket_timeout] (optional) The socket timeout in milliseconds. Default: infinite

The following properties are required for sending logout requests to the requestors. These properties can be added as requestor properties in the requestorpool as part of the business model so they can be stored in the internal database.

property name	property value
aselect.logout.target	The requestor URL as entry point for synchronous logout, e.g. 'http://localhost/application'.
aselect.logout.signing	(optional) Indicates whether the logout request must be signed.

---

• Back to the A-Select profile guide
• Back to the configuration reference