(DOCSP-45107): Backport DOCSP-45015 to v8.0 (#516)

Author: davidhou17

source/includes/setting-fileConf-mms.saml.encrypted.assertions.rst

@@ -3,7 +3,6 @@
    *Type*: boolean
 
 
-   Indicator as to whether or not the |idp| encrypts the assertions
+   Flag that indicates whether or not the |idp| encrypts the assertions
    it sends to |onprem|.
-   
-
+   

source/includes/setting-fileConf-mms.saml.signedAssertions.rst

@@ -0,0 +1,17 @@
+.. setting:: mms.saml.signedAssertions
+
+   *Type*: boolean
+
+   *Default*: ``true``
+
+   Flag that indicates whether or not the |idp| signs the assertions
+   it sends to |onprem|.
+
+   .. important:: 
+
+      Ensure that either the assertions or the response are signed. 
+      The configuration will fail the verification and |onprem| returns 
+      an error if either the assertions or the response aren't signed.
+
+   Corresponds to :setting:`SAML Signed Assertions`.
+   

source/includes/setting-fileConf-mms.saml.signedMessages.rst

@@ -0,0 +1,17 @@
+.. setting:: mms.saml.signedMessages
+
+   *Type*: boolean
+
+   *Default*: ``true``
+
+   Flag that indicates whether or not the |idp| signs the responses
+   it sends to |onprem|.
+
+   .. important:: 
+
+      Ensure that either the assertions or the response are signed. 
+      The configuration will fail the verification and |onprem| returns 
+      an error if either the assertions or the response aren't signed.
+
+   Corresponds to :setting:`SAML Signed Messages`.
+   

source/includes/setting-uiConf-samlEncryptedAssertions.rst

@@ -3,7 +3,7 @@
    *Type*: boolean
 
 
-   Indicator as to whether or not the |idp| encrypts the assertions
+   Flag that indicates whether or not the |idp| encrypts the assertions
    it sends to |onprem|.
 
 

source/includes/setting-uiConf-samlSignedAssertions.rst

@@ -0,0 +1,17 @@
+.. setting:: SAML Signed Assertions
+
+   *Type*: boolean
+
+   *Default*: ``true``
+
+   Flag that indicates whether or not the |idp| signs the assertions
+   it sends to |onprem|.
+
+   .. important:: 
+
+      Ensure that either the assertions or the response are signed. 
+      The configuration will fail the verification and |onprem| returns 
+      an error if either the assertions or the response aren't signed.
+
+   Corresponds to :setting:`mms.saml.signedAssertions`.
+   

source/includes/setting-uiConf-samlSignedMessages.rst

@@ -0,0 +1,16 @@
+.. setting:: SAML Signed Messages
+
+   *Type*: boolean
+
+   *Default*: ``true``
+
+   Flag that indicates whether or not the |idp| signs the responses
+   it sends to |onprem|.
+
+   .. important:: 
+
+      Ensure that either the assertions or the response are signed. 
+      The configuration will fail the verification and |onprem| returns 
+      an error if either the assertions or the response aren't signed.
+
+   Corresponds to :setting:`mms.saml.signedMessages`.

source/reference/config/ui-settings.txt

@@ -183,6 +183,8 @@ SAML
 .. include:: /includes/setting-uiConf-samlSpPemFile.rst
 .. include:: /includes/setting-uiConf-samlSpPemFilePassword.rst
 .. include:: /includes/setting-uiConf-samlEncryptedAssertions.rst
+.. include:: /includes/setting-uiConf-samlSignedAssertions.rst
+.. include:: /includes/setting-uiConf-samlSignedMessages.rst
 .. include:: /includes/setting-uiConf-samlSignatureAlgorithm.rst
 .. include:: /includes/setting-uiConf-samlGlobalOwnerGroup.rst
 .. include:: /includes/setting-uiConf-samlGlobalAutomationGroup.rst

source/reference/configuration.txt

@@ -364,6 +364,8 @@ Authentication through SAML
 .. include:: /includes/setting-fileConf-mms.saml.ssl.PEMKeyFile.rst
 .. include:: /includes/setting-fileConf-mms.saml.ssl.PEMKeyFilePassword.rst
 .. include:: /includes/setting-fileConf-mms.saml.encrypted.assertions.rst
+.. include:: /includes/setting-fileConf-mms.saml.signedAssertions.rst
+.. include:: /includes/setting-fileConf-mms.saml.signedMessages.rst
 .. include:: /includes/setting-fileConf-mms.saml.signature.algorithm.rst
 .. include:: /includes/setting-fileConf-mms.saml.global.role.owner.rst
 .. include:: /includes/setting-fileConf-mms.saml.global.role.automationAdmin.rst

source/release-notes/changelogs/ops-manager/changelog-onprem-v7.0.rst

@@ -7,7 +7,8 @@
 
 - Updates JDK to ``jdk-17.0.13+11``.
 - Supports :ref:`Workload Identity Federation <om-oidc-authentication-workload>` on top of the already existing Workforce Identity Federation. 
-- Supports configuring separate SAML signature validation for responses and assertions so that only one is required through the AppSettings configuration.
+- Supports configuring separate SAML signature validation for responses and assertions so that only one is 
+  required through the :setting:`mms.saml.signedAssertions` and :setting:`mms.saml.signedMessages` settings.
 - Supports ability to set a custom idle session timeout using new application settings, :guilabel:`Idle Session Timeout Mode` and :guilabel:`Idle Session Timeout Max Minutes`.
 - Supports taking :ref:`on-demand snapshots <on-demand-snapshots>` in addition to scheduled snapshots.
 - Removes the |onprem| version number from the login page if you set :setting:`mms.security.show.om.version` to false.

source/release-notes/changelogs/ops-manager/changelog-onprem-v8.0.rst

@@ -7,7 +7,8 @@
 
 - Updates JDK to ``jdk-21.0.5+11``.
 - Supports :ref:`Workload Identity Federation <om-oidc-authentication-workload>` on top of the already existing Workforce Identity Federation. 
-- Supports configuring separate SAML signature validation for responses and assertions so that only one is required through the AppSettings configuration.
+- Supports configuring separate SAML signature validation for responses and assertions so that only one is 
+  required through the :setting:`mms.saml.signedAssertions` and :setting:`mms.saml.signedMessages` settings.
 - Supports ability to set a custom idle session timeout using new app settings, :guilabel:`Idle Session Timeout Mode` and :guilabel:`Idle Session Timeout Max Minutes`.
 - Removes the |onprem| version number from the login page.
 - Updates the MongoDB Agent to :ref:`108.0.1.8718-1 <mongodb-108.0.1.8718-1>`.