SAML IDP

About

Acts as a SAML 2 Identity provider. No identification is done by this authenticator. It acts as a controller for issuing SAML assertions. Typically this authenticator is the first point of contact coming from a SAML Service provider, requesting identification.

This authenticator can be considered a start and end touch point. The main purpose is to handle SAML specifics.

Actual user identification is done elsewhere.

Configuration

Authenticator type: SAMLIDP

Common Authenticator configuration can be found here.

Name

Description

Default value

Mandatory

force_re_auth

Regardless of the incoming auth request. Should IDP require re-authentication.

false

idp

Value of the entity id when issuing the assertion.

N/A

assertion_config

Section for when issuing assertion. Customized for one or more SP's.

N/A

{
"id": "auth00",
"type": "SAMLIDP",
"config": {
    "context_path": "/test/authn/chain",
    "base_path": "/test/authn",
    "force_re_auth": false,
    "idp": "aandrenidp",
    "chain": [{
        "id": "auth01",
        "required": true
    }],
    "assertion_config": [{
        "target_sp": ["https://sp.example.org/shibboleth", "https://samltest.id/saml/sp"],
        "pre_assertion_pipe": "auhtZPipe",
        "encrypt_assertion": false,
        "sign_response": false,
        "sign_assertion": true,
        "send_failed_response":false
        "name_id_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
        "nameid_parameter": "givenName",
        "additional_attribute_parameter": ["givenName", "sn", "objectClass"],
        "auth_context_parameter": "AuthnContextClassRef"
    }]
}
}

Assertion Configuration

"assertion_config": [{
    "target_sp": ["https://sp.example.org/shibboleth", "https://samltest.id/saml/sp"],
    "pre_assertion_pipe": "auhtZPipe",
    "encrypt_assertion": false,
    "sign_response": false,
    "sign_assertion": true,
    "send_failed_response":false
    "name_id_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
    "nameid_parameter": "givenName",
    "additional_attribute_parameter": ["givenName", "sn", "objectClass"],
    "auth_context_parameter": "AuthnContextClassRef"
}]

Logging

On a successful authentication event is logged containing following:

WEB_100101
IDENTIFIER (user traceid)
DESTINATION_SERVICE_NAME (target SP entity id)
SOURCE_ADDRESS (user IP address)

SLO - Single logout

By default saml slo endpoints are added to the metadata template. Both POST & Redirect bindings are supported and will be injected into the metadata when requested.

Currently, only POST binding is supported for outbound request/reponse.

Data sent to PIPE

All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.

Data put into the state by this authenticator is:

SAMLRequest - mainly for internal use
requestedAuthnContextClassRefs - Multi value property of the "RequestedAuthnContext" -> "AuthnContextClassRef" if any.
spEntityID - entityID of the "calling" SP .
A subset of the sent request-headers from user-Agent.
All data returned from the assertion pipe

Expected data from PIPE

In order to use data from PIPE the response must contain one item. All data from that item will be available when creating SAML assertion.

PreviousSAML NextSAML SP