MediaWiki API result
This is the HTML representation of the JSON format. HTML is good for debugging, but is unsuitable for application use.
Specify the format parameter to change the output format. To see the non-HTML representation of the JSON format, set format=json.
See the complete documentation, or the API help for more information.
{
"batchcomplete": "",
"continue": {
"gapcontinue": "SAMLSpecificationVersion",
"continue": "gapcontinue||"
},
"query": {
"pages": {
"21": {
"pageid": 21,
"ns": 0,
"title": "Release Notes v1.94",
"revisions": [
{
"contentformat": "text/x-wiki",
"contentmodel": "wikitext",
"*": "\nThere were several feature requests and enhancements made in version 1.94 that needed to be addressed. Some of the underlying .NET libraries were updated as well. \n\n== Technology Updates ==\n\nThe following updates were made and have no impact in functionality. The [[Upgrading_v1.93_to_v1.94|web.config]] does have to be updated in existing entries to ensure that the new versions are used. \n\n=== Maintenance Item 2020-01-09-A<br/> Upgrade to MVC 5.2.7 ===\n\n=== Maintenance Item 2020-01-09-B<br/> Clean build folders ===\n\n=== Maintenance Item 2020-01-09-D<br/> Upgrade to EntityFramework 6.3 ===\n\n=== Maintenance Item 2020-01-09-F<br/> SQLite upgrade 1.0.112 ===\n\n \n\n== Enhancements and Feature Requests ==\n\n=== Problem Ticket 2019-12-17-A ===\n<div><br/> Support for special case of having an AD group that includes \"Domain Users\" as a member. </div> <div>This is a unique scenario and something that the .NET directory objects don't handle all that well since \"Domain Users\" is the primary group of 99.99% of the users in AD (except when admins make changes). As such it does not exist as a group member that can be enumerated recursively when placed in group. Technically adding \"domain users\" to any groups tends to superfluous since that means that (typically) all users will be a member of the group and may as well be better server by assigning the \"Domain Users\" group. Nonetheless, the scenario does exist and now the code will look for that special condition.</div> \nNote: this is an expensive operation since that group will be looked specifically and adds additional overhead. You need to enable this (new) parameter:\n<pre>PrimaryADGroupCheck=\"true\"</pre>\n\n \n\n=== Feature Request 2019-07-22-A ===\n<div><br/> Feature request for permissions if the GroupName is \"*\" then it will apply to all users and will not actually check against directory server; good for global rules.</div> <div>In some scenarios where UserContextMode 4 (and 5) is used, the administrator may wish to grant (or deny) users access. Using the \"*\" (asterisk) in the group permission elements will assign the Allow/Deny rule automatically without invoking the directory server which speeds up performance.</div> <pre> <Domains Description=\"Everyone\" DomainName=\"corporate\" GroupName=\"*\" Action=\"Allow\"/>\n</pre>\n\n \n\n=== Feature Request 2019-08-20-A ===\n<div><br/> Force purge STS session cookie after redirect to Service Provider.</div> <div>Although the .NET session by default is set to 2 minutes, there is no need to maintain the session if the users has been redirected to the Service Provider. At that point, there is no need to have the session maintained and good security hygiene would suggest that the session be terminated. While no confidential information is stored in the session cookie, having a valid cookie leaves the exploit of replay attacks and impersonation a feasibility.</div> \nOrganizations using UserContextMode 4 (and 5) are potentially impacted since the session cookie is used to store the source parameters while the user is authenticated, and as such should be tested before enabling in Production.\n<pre>ClearSession=\"true\"\n</pre>\n\n \n\n=== Feature Request 2020-01-20-B ===\n<div><br/> More granular token time out per service.</div> \nEach SAMLConfigurationElements now allows the administrator to specify a token timeout value specifically per service provider. This is useful when the service provider needs a higher tolerance (e.g. due to network latency or other processing delays).\n<pre> <SAMLConfigurationElement Service=\"ConnectingGTA\" AssertingParty=\"sts.federation.uat.hospital.on.ca\" EncryptSAML=\"false\" <span style=\"color:#c0392b\">TokenTimeSpan=\"2\"</span></pre>\n\n \n\n=== Feature Request 2020-01-20-C ===\n<div><br/> Update telus14, ehealthontario141 and ehealthontario15 profile logic for UAO assignment. </div> <div> </div> <div>A a specific condition in a multi-UAO value provided by Cerner systems due to technical limitations has been handled differently (\"|\" will be used instead of \",\" as delimiters).</div> \n \n\n=== Problem Ticket 2019-09-19-A ===\n<div><br/> Add event of INFO type in Logs to capture username and usercontext mode.</div> \nWhen Debug mode was turned off there was no adequate logging of the actual user context information in the STSLog file.\n\n \n\n=== Feature Request 2019-09-19-A ===\n<div><br/> Add Service item to audit file. For organizations using the same instance of STS for different Service Providers, an additional field has been included that indicates the service invoked. Note that this field has been added to the end of each line in order to not impact existing audit scripts/process that expect the same fields in the same order.</div> <div> </div> \n "
}
]
},
"26": {
"pageid": 26,
"ns": 0,
"title": "SAMLConfiguration",
"revisions": [
{
"contentformat": "text/x-wiki",
"contentmodel": "wikitext",
"*": "\nThis configuration section permits the administrator to set up a varierty of service providers from within the same instance of Orbital Lite STS. In a Production instance, the STS could re-direct the authorized users based on the target \"Service\" parameter submitted. Each configuration can differ in these major elements:\n\n*Service and IdP Endpoints \n*Signing and Encryption Certificates \n*SAML Specification Version \n\n \n\n== Service ==\n\nThis is the label assigned to the entry. When specifying a target service from the legacy application, the \"Service\" label must match the entry (not case-sensitive). \n\n== AssertingParty ==\n\nThis is the string that will be inclused as part of the SAML payload. This allows the receiving Service Provider to perform a quick check if this is coming from an authorized Identity Provider before typically checking for other aspects of the SAML such as expiry, digital signature, etc. Typically, this value would be a FQD that represents the STS server. \n\n== EncryptSAML ==\n\nThis is set to \"true\" or \"false\". If set to true, a public key certificate from your Service Provided must be configured and the SAML attributes will all be encrypted. The recommended setting is to always encrypt, especially is patient health information is being transmitted. Note that the [https://sts.radiusworks.com/wiki/index.php?title=STSSettings#EncryptSAMLAttributes global setting EncryptSAMLAttributes] will override this value if it's set to true. If you wish to actually disable encryption, you need to set the global value to \"false\" as well.\n\n== TokenTimeSpan ==\n\nRepresents the time interval (in minutes) that the SAML payload will indicate to the Service Provider that the token is valid. This a good way to control the potential risk in replay attacks with SAML. The value should reflect any network latency and potential clock synchronization issues. This value should not be higher than 2 minutes. \n\n== appURL ==\n\nThis is a mandatory parameter. appURL is the entry endpoint for the Service Provider. This is in most cases another Identity Provider that will do an authentication/authorization check on the user and the Orbital Lite STS. This value will also be placed in the RelayState for the SAML POST. \n\n== destinationURL ==\n\nThis is a mandatory parameter. After the initial successful authentication/authorization, the Service Provider will re-direct the user to the actual destination. \n\n== StaticRelayStateParameters ==\n\nThis optional string appends some additional attributes to the RelayState. This is useful for profiles that require additional customization. \n\n== SAMLSpecificationVersion ==\n\nThis optional parameter allows the administrator to control which SAML specification/profile to use. If the value is left blank, then the [https://sts.radiusworks.com/wiki/index.php?title=STSSettings#SAMLSpecificationVersion global SAMLSpecificationVersion value] will be used. \n\n== AudienceRestriction ==\n\nThis optional parameter allows the administrator to state the AudienceRestriction value in the SAML subject header. This permits the IdP to perform additional authorization checks. \n\n== CertificateThumbprint ==\n\nThis value represents a unique signature that identifies the certificate in the Windows Server certificate store which will be used to sign the certificate. The administrator should make sure that the IIS (network) account has read access to the key, and that the key is marked as exportable, otherwise the application cannot get the private key.\n\nTo obtain the thumbprint of a certificate, please follow these steps:\n\n*Open Windows Server certificate store using the management console \n*Double-click on the certificate. A new window will appear with additional information for the certificate, at which point click on \u201cDetails\u201d. You should find an element labeled \u201cThumbprint\u201d. \n*Click on the item and select the data displayed in the window. The data can be imported with or without spaces, and is case insensitive. \n\n== CertificatePath and CertificatePassword ==\n\nIf the Windows Server certificate store cannot be used, then a physical location may be used and a PFX file may be invoked. The IIS (network) account would need read permissions to the certifcate.\n\n=== <br/> CertificatePath ===\n\nThis would describe the physical path where the certificate (including the private key) is stored.\n\n=== <br/> CertificatePassword ===\n\nThis is the password that the application will be using to access the private key.\n\n== EncryptionCertificateThumbprint ==\n\nThe target Service Provider should be providing a certificate that contains the public key in order to encrypt the SAML attributes. The thumbprint as stored in the Windows Certificate Store should be specified here. \n\n== EncryptionCertificatePath ==\n\nAs an alternative to EncryptionCertificateThumbprint, the file location of the CER file can be provided in this attribute.\n\n== SPML ==\n\nSPML Service Attributes provide the STS solution information about the SPML endpoint that can be used to update an external user registry:\n\n=== SPMLService ===\n\nthis provides the target URL of the SPML Service.\ufffd SPMLAction: this is the SOAP request parameter used to invoke the SPML service.\n\n=== SPMLAuthentication ===\n\nThe type of authentication used by the SPML service; it can be set to \u201cnone\u201d, \u201cusername\u201d or \u201ccertificate\u201d.\n\n=== SPMLCertificateThumbprint ===\n\nUsed when the SPMLAuthentication is set to \u201ccertificate\u201d, this will provide the certificate of the private key stored in the Windows Certificate tore that will be used to authenticate.\n\n=== SPMLCertificatePath ===\n\nused when the SPMLAuthentication is set to \u201ccertificate\u201d, this will provide the file location of the PFX certificate file which contains the private key.\n\n=== SPMLCertificatePassword ===\n\nused to unlock the PFX file specified in SPMLCertificatePath.\n\n=== SPMLUsername ===\n\nthe username send to the SPML service when the SPMLAuthentication is set to \u201cusername\u201d.\n\n=== SPMLPassword ===\n\nthe associated password with SPMLUsername.\n\n=== SPMLDomain ===\n\nthe associated domain for the username specified in SPMLUsername.\n\n "
}
]
}
}
}
}