SAML web single sign-on (SSO) trust association interceptor (TAI) custom properties

The following tables list the custom properties for the Security Assertion Markup Language (SAML) trust association interceptor (TAI). You can define these properties in the custom properties panel for the SAML TAI using the administrative console.

To assign unique property names that identify each possible single sign-on (SSO) service provider (SP) partner, an sso_<id> is embedded in the property name and used to group the properties that are associated with each SSO partner. The sso_<id>s are numbered sequentially for each SSO service provider partner.

The SAML TAI custom properties can be grouped into three categories:

Global properties - these properties are applicable to all SSO partners that are configured for the SAML TAI.
IdP properties - these properties are applicable to identity providers that are configured for the SAML TAI. To assign unique property names that identify each identity provider partner, an idp_<id> is embedded in the property name and used to group the properties that are associated with each SSO IdP partner.
Service provider properties - these properties apply to a service provider and are grouped for each SSO service provider partner under a unique sso_<id>. You replace <id> with a number to produce a unique sso_<id>, such as sso_1.acsUrl. If you have two providers, you would produce another set with sso_2.acsUrl.

Note: All custom properties names are case sensitive.

Avoid trouble: A principal name is required for SAML web single sign-on. By default, the principal is obtained from the NameID element in the Subject of the SAML assertion. If there is no NameID element in the SAML assertion then the desired principal name must be in an Attribute in the token. The name of the attribute that specifies the principal name is configured on the sso_<id>.sp.principalName custom property. If there is no NameID in the SAML assertion and the sso_<id>.sp.principalName custom property is not configured, the SAML Web SSO TAI will not allow access to the protected resource.

The following table describes the global SAML TAI custom properties:

Table 1. Global SAML TAI custom properties
Property name	Values	Description
`targetUrl`	You can specify any URL value.	This property is overridden by `sso_<id>.sp.targetUrl`. This is the default target URL after successful validation of the `SAMLResponse` when there is no `RelayState` received from the IdP.
`useRelayStateForTarget`	You can specify one of the following values: true (Default) false	This property is overridden by `sso_<id>.sp.useRelayStateForTarget`. This is used to indicate if the `RelayState` should be used as the target URL.
`useJavaScript`	You can specify one of the following values: true false (Default)	Set this property to `true` to enable the TAI to use JavaScript when a request is redirected to an IdP. When you do not use JavaScript, any fragments that are present on the original inbound request are lost. When the `sso_<id>.sp.login.error.page` property is set to a class name to implement SP-Initiated SSO, the value for this property is ignored. When this property is set to a value, the value for the `redirectToIdPonServerSide` property is ignored.
`allowedClockSkew`	You can specify any positive number. The default is three minutes.	This property is overridden by `sso_<id>.sp.allowedClockSkew`. This is used to specify the allowed clock skew in minutes when validating the SAML assertion.
`enforceTaiCookie`	You can specify one of the following values: true (Default) false	This property is overridden by `sso_<id>.sp.enforceTaiCookie`. This is used to indicate if the SAML TAI should check if an LTPA cookie is mapped to a Subject created for the SSO partner. See the table entry for `sso_<id>.sp.enforceTaiCookie` for more information.
`logoutUrl`	You can specify any URL value. This URL cannot be the single logout (SLO) endpoint of the IdP	This property is overridden by `sso_<id>.sp.logoutUrl`. The logout request is redirected to the URL that is specified on this property when an `HttpServletRequest.logout` or form logout is performed.
`preventReplayAttackScope`	This property does not have a default. You can specify the following value: server	By default, the SAML TAI uses a distributed cache to store SAML assertion IDs for preventing replay attack. If you set this property to server, the SAML TAI uses a local cache instead.
`replayAttackTimeWindow`	You can specify any integer value. The default value is 30.	This property specifies the time, in minutes, within which the second request is rejected if two identical SAML assertions are received by the TAI. See also `sso_<id>.sp.preventReplayAttack`.
`retryOnceAfterTrustFailure`	You can specify one of the following values: true false	Set this property to `true` to enable the run time to reload the trust store after trust validation has failed. This allows the trust store to be updated with new IdP certificates while the application server is running.
`redirectToIdPonServerSide`	You can specify one of the following values: true (Default) false	This property is overridden by `sso_<id>.sp.redirectToIdPonServerSide`. This property is used to indicate that the TAI should redirect to the IdP itself. Set this property to `false` to do a client-side redirect. Set this property to `false` if URL fragments are being lost on the redirect; the TAI uses JavaScript to do a client-side redirect. When the `sso_<id>.sp.login.error.page` property is set to a class name to implement SP-Initiated SSO, the value for this property is ignored. When the `useJavaScript` property is set to a value, the value for this property is ignored.

The following table describes the IdP SAML TAI custom properties:

Table 2. IdP SAML TAI custom properties
Property Name	Values	Description
`sso_<id>.idp_<id>.SingleSignOnUrl`	You can specify any URL value.	This custom property specifies the URL of the SSO service of the IdP. This property is used when the `sso_<id>.sp.login.error.page` property is set to a class name to implement SP-Initiated SSO or identity provider mapping. When the `sso_<id>.sp.login.error.page` property is not set to a value or its value is a URL, the value for the `sso_<id>.idp_<id>.SingleSignOnUrl` property is not used by the SAML TAI.
`sso_<id>.idp_<id>.allowedIssuerDN`	This custom property does not have a default value.	This custom property specifies the Subject DN of the certificate who is allowed to sign the SAML assertion sent by the IdP. If the SAML assertion is not signed by this certificate, the token is rejected. If this property is specified, the `sso_<id>.sp.wantAssertionsSigned` custom property must be true. Use this property when, instead of IdP's signer certificate, you have the signer certificate's Issuer in the trust store. This will prevent you from allowing all signers with certificates issued by the same Issuer.
`sso_<id>.idp_<id>.allowedIssuerName`	This custom property does not have a default value.	This custom property specifies the value of the `<saml:Issuer>` Issuer element in the SAML assertion. The SAML assertion received from the IdP is rejected if the Issuer in the token does not match this value.

The following table describes the service provider SAML TAI custom properties:

Table 3. Service provider SAML TAI custom properties
Property Name	Values	Description
`sso_<id>.sp.acsUrl`	This property is required and does not have a default value. You can specify one of the following values: URL of the assertion consumer service (ACS): https://<hostname>:<sslport>/samlsps /<any URI pattern String> URL of the business application.	This property specifies the URL of the ACS or business application. If you need to have multiple, similar entry points for your SAML workflows, you can specify a URL with a wildcard at the end of the string instead of a specific URI pattern string for this property. For example: `https://<server>/<context_root>/ep1/path1/p` `https://<server>/<context_root>/ep1/` The value for each `sso_<id>.sp.acsUrl` property must have a unique URI path. A URI path does not include the protocol and `<hostname>:<port>` parts of a URL string. For example, `https://here.com/samlsps/app/go` and `https://elsewhere.com/samlsps/app/go` have the same URI path, `/samlsps/app/go`, so only one of them can be configured as an `acsUrl` entry.
`sso_<id>.sp.login.error.page`	This property does not have a default value, but a value is required to be set when requests are to be processed using the SP-initiated web SSO flow.	This property specifies the error page, IdP login page, or custom mapping class to which an unauthenticated client request is redirected. The custom mapping class can implement `com.ibm.wsspi.security.web.saml.IdentityProviderMapping` for identity provider mapping or `com.ibm.wsspi.security.web.saml.AuthnRequestProvider` for SP-Initiated SSO. For both SP-initiated SSO and identity provider mapping, when requests go the application server first, they are redirected to the IdP for the user to log in.
`sso_<id>.sp.acsErrorPage`	This property defaults to the value for sso_<id>.sp.login.error.page .	This property is used to specify an error page to use if the SAML assertion fails validation or authentication.
`sso_<id>.sp.filter`	You can specify any filter value. The default value is `request-url~=.*`.	This property specifies a condition that is checked against an HTTP request to select an SP to process the request. For more information on this property, see the SAML TAI filter property section. The default filter intercepts all requests that are sent to the TAI, except requests to admin applications. If a request matches the filter condition for more than one SP, the request is rejected.
`sso_<id>.sp.logoutUrl`	You can specify any URL value for this property. This URL cannot be the single logout (SLO) endpoint of the IdP.	The logout request is redirected to the URL that is specified on this property when an `HttpServletRequest.logout` or form logout is performed.
`sso_<id>.sp.targetUrl`	This property does not have a default value.	This property specifies the URL of the target application. It is used when `RelayState` is not present in the client request.
`sso_<id>.sp.useRelayStateForTarget`	You can specify one of the following values: true (Default) specify this value if you want to use the value of RelayState in the client request as the URL of the target application. false specify this value if you want to use the value of sso_<id>.sp.targetUrl as the URL of the target application.	This property specifies whether the `RelayState` value received in the client request should be used as the URL of the target application or not. If this property is set to false, the `sso_<id>.sp.targetUrl` property is used as the URL of the target application.
`sso_<id>.sp.idMap`	You can specify one of the following values: idAssertion (Default) the user specified in the SAML assertion is not checked in the local registry localRealm the SAML user is verified in the local user registry localRealmThenAssertion if the user is not found in the local registry, IDAssertion is used	This property specifies how the SAML user is mapped to the Subject.
`sso_<id>.sp.principalName`	You can specify any SAML attribute name. This property does not have a default value.	This property specifies the SAML attribute that is used as the Subject principal. By default, the value for the Subject principal is obtained from the `NameID` element in the `Subject` element in the SAML assertion.
`sso_<id>.sp.uniqueId`	You can specify any SAML attribute name. This property does not have a default value.	This property specifies the SAML attribute that is used as the Subject `uniqueId`. By default, the value for the `uniqueId` is obtained from the `NameID` element in the `Subject` element in the SAML assertion.
`sso_<id>.sp.groupName`	You can specify any SAML attribute name. This property does not have a default value.	This property specifies the SAML attribute that contains the group memberships for the user and is used with IDAssertion only. The groups are added to the Subject for the user according to the value for the `sso_<id>.sp.groupMap` property.
`sso_<id>.sp.groupMap`	This property does not have a default value. You can specify one of the following values: localRealm map the groups from the SAML assertion to matching groups and parent groups in the WebSphere registry. addGroupsFromLocalRealm map the groups from the SAML assertion to matching groups and parent groups in the WebSphere registry. In addition to the groups that are found in the WebSphere registry, the user's Subject contains the groups from the SAML assertion	This property specifies how the groups in the SAML assertion are mapped to WebSphere groups and is used with IDAssertion only. The `sso_<id>.sp.groupName` property must be set to a value to pick up the groups from the SAML assertion. By default, when IDAssertion is used, groups are not added to the Subject for the SAML user.
`sso_<id>.sp.realmName`	This can be any string value. By default, this property is set to the SAML Issuer name.	This property specifies any SAML attribute and is used in conjunction with `realmNameRange`. The value of this attribute is used as the Subject realm. If this realm does not exist in the list of realms specified by `realmNameRange`, the realm is rejected.
`sso_<id>.sp.realmNameRange`	This property has no default value.	This property specifies a list of allowed realm names and is used in conjunction with `realmName`. See the description of `sso_<id>.sp.realmName`.
`sso_<id>.sp.useRealm`	This custom property does not have a default value.	This property specifies a realm name and is used to override the default realm. This property also overrides the `realmName` property. Set the value for this property to `WAS_DEFAULT` to use the default WebSphere realm name.
`sso_<id>.sp.wantAssertionsSigned`	You can specify one of the following values: true (Default) the service provider requires the IdP to sign the SAML assertion false the SAML assertion is not required to be signed by the IdP	If this property is set to false, the SAML assertion is not required to be signed and the signature is not validated. When the value for this property is true, either sso_<id>.sp.trustAnySigner must be set to true or sso_<id>.sp.trustStore set to a valid managed keystore.
`sso_<id>.sp.trustAnySigner`	You can specify one of the following values: false (Default) the signer certificate is verified for trust validation true any signer certificate is trusted without trust validation Best practices: Use this custom property for diagnosis purposes only. Do not use it in a production environment.	This property specifies whether the signer certificate of the SAML assertion is verified for trust validation. If this property is set to true, any signer certificate is trusted.
`sso_<id>.sp.trustStore`	On a single server, the default trustStore is `NodeDefaultTrustStore`, otherwise, it is `CellDefaultTrustStore`.	This property specifies the truststore for validating the SAML signature. It specifies the name of a managed keystore. Examples: `myKeyStoreRef` `name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode`
`sso_<id>.sp.trustedAlias`	This property does not have a default value.	If this property is specified, the certificate that is specified by this alias is used to validate the signature in the SAML assertion. This certificate overrides any certificate value that might be present in the SAML assertion. If the signature in the incoming SAML assertion in the `SAMLResponse` does not include the `KeyInfo` element, you must specify this property to verify the signature.
`sso_<id>.sp.keyStore`	This property is used to receive and process `EncryptedAssertions`. On a single server, the default keyStore is `NodeDefaultKeyStore`. Otherwise, it is `CellDefaultKeyStore`.	This property specifies the name of the managed keystore that contains the private key for decrypting an encrypted SAML assertion. Examples: `myKeyStoreRef` `name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode`
`sso_<id>.sp.keyAlias`	This property is required to receive and process EncryptedAssertions and does not have a default value.	This property specifies the key alias for decrypting the SAML assertion.
`sso_<id>.sp.keyName`	This property is required to receive and process EncryptedAssertions and does not have a default value.	This property specifies the key name for decrypting the SAML assertion.
`sso_<id>.sp.keyPassword`	This property is required to receive and process EncryptedAssertions and does not have a default value.	This property specifies the key password for decrypting the SAML assertion.
`sso_<id>.sp.allowedClockSkew`	This property does not have a default value.	This property specifies, in minutes, the time that is added to the token expiration time of the SAML assertion sent by the IdP.
`sso_<id>.sp.charEncoding`	This property does not have a default value. An example setting is UTF-8.	This property specifies the character encoding that is used to override the setting in the `HTTPServletRequest`.
`sso_<id>.sp.cookiegroup`	This property does not have a default value.	This property specifies a tag to be added to an ltpa cookie for the configured SAML SSO partner. When a web request is received with an ltpa cookie, the ltpa cookie is valid only if the tag matches this value.
`sso_<id>.sp.defaultRealm`	You can specify one of the following values: IssuerName (Default) use the SAML assertion Issuer as the default realm NameQualifier use the SAML assertion NameQualifier as the default realm	This custom property specifies whether the Issuer or the NameQualifier from the SAML assertion is used as the default realm.
`sso_<id>.sp.disableDecodeURL`	You can specify one of the following values: true false (Default)	When this property is set to true, the original URL for redirect is used, without decoding the URL.
`sso_<id>.sp.enforceTaiCookie`	You can specify one of the following values: true (Default) false	This property is used to indicate if the SAML TAI should check if an LTPA cookie is mapped to a Subject created for the SSO partner. Consider the situation where you set this property to `true` (the default) and an LTPA cookie is created for one SSO partner. In this situation, if a subsequent request is received that satisfies the filter for a different SSO partner, the user is required to login to the idP again. If all your SSO partners use the same idP, you might consider setting this property to `false`. When this property is set to `true` (the default), the `sso_<id>.sp.includeCacheKey` property must also be set to `true` (the default).
`sso_<id>.sp.EntityID`	By default, this property is set to the value of sso_<id>.sp.acsUrl.	This property is used to verify `AudienceRestriction` in the SAML assertion.
`sso_<id>.sp.includeCacheKey`	You can specify one of the following values: true (Default) false	This property indicates that the TAI is to generate a custom `authCache`for the WebSphere Subject that is created for the request. When this property is set to `false`, core security generates the cache key. This property must be set to `true` when the `enforceTaiCookie` property is set to `true`. When the `sso_<id>.sp.includeCacheKey` property is set to `false`, the Subject can be constructed directly from the registry. When the Subject is constructed directly from the registry, the `SAMLToken` is no longer available on the Subject. Core security must re-construct an unexpired Subject when it is unable find the Subject in its `authCache` usually due to inactivity or cache size limit. When `sso_<id>.sp.includeCacheKey` is set to `true` (the default), core security cannot construct a Subject directly from the registry, when an `authCache` hit fails. The user must be redirected to the idP to re-authenticate.
`sso_<id>.sp.includeToken`	You can specify one of the following values: true (Default) false	This property indicates that the TAI includes a SAMLtoken object, which is created from the SAML assertion that is received from the identity provider, in the WebSphere Subject. This property must be set to `true` (the default) in each of the following conditions: The `SAMLToken` object is propagated in web services. The `SAMLToken` object must be available to applications on the server. If you require a `SAMLToken` object on the Subject, then the `sso_<id>.sp.includeCacheKey` property must be set to `true` (the default). When the `sso_<id>.sp.includeCacheKey` property is set to `false`, the Subject can be constructed directly from registry. When the Subject is constructed directly from the registry, the `SAMLToken` is no longer available on the Subject. Core security must re-construct an unexpired Subject when it is unable to find the Subject in its `authCache`, usually due to inactivity or cache size. When `sso_<id>.sp.includeCacheKey` is set to `true` (the default), core security cannot construct a Subject directly from the registry when an `authCache` hit fails. The user must be redirected to the idP to re-authenticate.
`sso_<id>.sp.interceptAdminApp`	Pick one of the valid values for this custom property: true false (Default)	Set this property to `true` to enable an SP to intercept an admin application, such as the administrative console. When you set this property to `true`, make sure to set your filters so that command-line applications such as `wsadmin` are not intercepted. By default, even if a filter is set to intercept an admin application, the TAI does not intercept it unless this property is set to `true`.
`sso_<id>.sp.preserveRequestState`	You can specify one of the following values: true (Default) the client state is saved and restored when it is redirected to the IdP login false the client state is not saved	Set this property to false if you do not want the TAI to save the original request URL and the parameters before it redirects the request to the IdP for authentication. When you set this property to false, the `WasSamlSpReqURL` cookie is not used to restore a request. You must ensure that one of the following actions is taken. Set a value for either the targetUrl or the sso_<id>.sp.targetUrl SAML TAI property. Set the RelayState parameter in the SAMLResponse defining the target URL and then set the sso_<id>.sp.useRelayStateFortTarget SAML TAI property to true.
`sso_<id>.sp.preventReplayAttack`	You can specify one of the following values: true (Default) false	This property is used to specify whether the SAML TAI should prevent two identical SAML assertions from being sent in client requests. This property is used in conjunction with the global property `replayAttackTimeWindow`.
`sso_<id>.sp.preventReplayAttackScope`	This property does not have a default. You can specify the following value: server	By default, the SAML TAI uses a distributed cache to store SAML assertion IDs for preventing replay attack. If you set this property to server, the SAML TAI uses a local cache instead.
`sso_<id>.sp.redirectToIdPonServerSide`	You can specify one of the following values: true (Default) false	This property is used to indicate that the TAI should redirect to the IdP itself. Set this property to `false` to do a client-side redirect. Set this property to `false` if URL fragments are being lost on the redirect; the TAI uses JavaScript to do a client-side redirect. When the `sso_<id>.sp.login.error.page property` is set to a class name to implement SP-Initiated SSO, the value for this property is ignored. When the `sso_<id>.sp.useJavaScript` property is set to a value, the value for this property is ignored.
`sso_<id>.sp.retryOnceAfterTrustFailure`	You can specify one of the following values: true false	Set this property to `true` to enable the run time to reload the trust store after trust validation has failed. This allows the trust store to be updated with new IdP certificates while the application server is running.
`sso_<id>.sp.useJavaScript`	You can specify one of the following values: true false (Default)	When this property is set to `true` and a request is redirected to an IdP, the TAI uses JavaScript. When JavaScript is not used, any fragments that are present on the original inbound request are lost. When the `sso_<id>.sp.login.error.page` property is set to a class name to implement SP-Initiated SSO, the value for this property is ignored. When this property is set to a value, the value for the `redirectToIdPonServerSide` property is ignored.
`sso_<id>.sp.userMapImpl`	This property does not have a default value.	This property specifies the name of a custom user mapping module class. It is used to map a user ID in the SAML assertion to another user ID that exists in the local user registry. The custom mapping class must implement the `com.ibm.wsspi.security.web.saml.UserMapping` interface. The `com.ibm.wsspi.security.web.saml.UserMapping` interface resides in the `com.ibm.wsfp.main.jar` file in the (WAS_HOME)/plugins directory. The .jar file containing the custom class must be placed in either the (WAS_HOME)/lib or (WAS_HOME)/lib/ext directory. If, when a user mapping error occurs, you want to use an error page other than what is set on the sso_<id>.sp.acsErrorPage custom property, use the `com.ibm.websphere.security.UserMappingException.setErrorPage` method
`sso_<id>.sp.X509PATH`	This property does not have a default value.	This property specifies the certificate store that is used for the intermediary certificates used in validating the SAML signature.
`sso_<id>.sp.CRLPATH`	This property does not have a default value.	This property specifies the certificate store that is used for certificate revocation lists (CRLs) used in validating the SAML signature.

SAML TAI filter property

The sp.filter SAML TAI filter property is used when a client invokes a protected service provider application directly, without authenticating to the IdP. The filter property is usually used in conjunction with the sp.login.error.page property to redirect an unauthenticated client request to the URL address specified by the sp.login.error.page property. The sp.filter properties do not apply to a SAMLResponse. The request URL in a SAMLResponse is evaluated against the sp.acsURL.

The SAML TAI filter properties are supported by the OAuth, OIDC, and SAML Web Inbound TAIs.

The filter property specifies a set of conditions that are compared against the HTTP request of the client to select a SAML web SSO service provider partner for processing the HTTP request. Each condition is specified by the following three elements.

Input: The input element usually specifies an HTTP header name, but can also be a keyword to specify a special input element. See table 4 for the supported special input elements.
Operator: The operator element specifies the filter operator to compare the input element to the comparison value. See table 5 for the list of filter operators.
Comparison value: Thai comparison value element specifies the value that the information from the HTTP request is compared to.

The conditions are evaluated from left to right, as specified by the comparison value. If all the filter conditions specified by an SSO service provider partner are met in an HTTP request, the SSO service provider partner is selected for the HTTP request.

Avoid Trouble: The SAML TAI evaluates the inbound request against the filter conditions for each SSO service provider. If the request matches the filter condition for more than one SSO service provider, the request is rejected.

The input element identifies an HTTP request header field to extract from the request and its value is compared with the value that is specified in the filter property according to the operator specification. If the header field that is identified by the input element is not present in the HTTP request, the condition is treated as not being met. Any HTTP request header field can be used as the input element in the filter condition. Refer to the HTTP specification for the list of valid headers.

In addition to HTTP header fields, the following special input elements can be used in the filter property:

Table 4. Special input elements
Property name	Description
`request-url`	This filter compares against the URL address that is used by the client application to make the request. This value includes the query string. For example: `https://acme.com/app/folder/page.html?abc=123`
`remote-address`	This filter compares against the TCP/IP address of the client application that sent the HTTP request.
`applicationNames`	This filter compares against the name of the application to which the HTTP request belongs.
`request-uri`	This filter compares against the part of the request URL from the protocol name up to the query string of the HTTP request. This value does not include the query string. For example, the `request-uri` is `/app/folder/page.html` for the `https://acme.com/app/folder/page.html?abc=123` URL. The `request-uri` special input element is valid for the SAML TAI filter property.

The following table lists the different operators used in the filter property:

Table 5. Filter property operators
Operator	Condition	Examples
`==`	The input element must be equal to the comparison value. This is the only operator that specifies an exact match.	`From==jones@my.company.com`
`%=`	The input element must contain the comparison value.	`user-agent%=IE 6` `request-url%=company.com/urlApp1`
`^=`	The input element must contain one of the comparison values. This is the only operator that can be combined with the \| operator. If only one value is specified, this operator is equivalent to %=.	`request-url^=urlApp1\|urlApp2\| urlApp3`
`!=`	The input element must not contain the comparison value.	`request-url!=test105`
`~=`	The input element must match the comparison value as a regular expression.	`request-uri~=/ibm/console(?!/images/)(.).` `MY_HEADER~=^.* (is present)` `MY_HEADER~=\0 (is not present)`
`>`	The input element is greater than the comparison value.	`remote-address>192.168.255.130`
`<`	The input element is less than the comparison value.	`remote-address<192.168.255.135`
`;`	Logical AND Operator	`request-url!=test105;From==jones@my.company.com5`
`\|\|`	Logical OR Operator	`request-uri~=/ibm/console(?!/images/)(.).\|\|request-url!=test105;From==jones@my.company.com\|\|request-url%=company.com/urlApp1`

Before version 8.5.5.23, no logical OR operator exists that you can use with filter properties.

Examples

In the following example, the filter property specifies an HTTP header field From as the input with samluser@xyz.com as the comparison value and == as the operator:

sso_1.sp.filter=From==samluser@xyz.com

In this case, if a client request contains an HTTP header field From with a value of samluser@xyz.com, the SAML TAI selects the SSO service provider partner of this sso_1 filter for processing the client request.

In the following example, the filter property specifies a URL with ivtlanding.jsp as the comparison value and %= as the operator:

sso_2.sp.filter=request-url%=ivtlanding.jsp

In this case, if the URL of the target application invoked by the client contains the string ivtlanding.jsp, the SAML TAI selects the SSO partner of this sso_2 filter for processing the client request.

In the following example, the filter property specifies an application name with DefaultApplication as the comparison value and == as the operator:

sso_3.sp.filter=applicationNames==DefaultApplication

In this case, if the name of the target application invoked by the client application is DefaultApplication, the SAML TAI selects the SSO partner of this sso_3 filter for processing the client request.