SAML IDP

About

Acts as a SAML 2 Identity provider. No identification is done by this authenticator. It acts as a controller for issuing SAML assertions. Typically this authenticator is the first point of contact coming from a SAML Service provider, requesting identification.

This authenticator can be considered a start and end touch point. The main purpose is to handle SAML specifics.

Actual user identification is done elsewhere.

SAML data arrives from SAML Service provider

Configuration

Authenticator type: SAMLIDP

Common Authenticator configuration can be found here.

Name
Description
Default value
Mandatory

force_re_auth

Regardless of the incoming auth request. Should IDP require re-authentication.

false

idp

Value of the entity id when issuing the assertion.

N/A

assertion_config

Section for when issuing assertion. Customized for one or more SP's.

N/A

Assertion Configuration

Name
Description
Default value
Mandatory

target_sp

Must include at least one SP entity id. The id must be loaded and known to the system. Use "*" to catch all SP entity ID's.

N/A

pre_assertion_pipe

ID of pipe to execute before issuing assertion. Not required.

N/A

sign_response

Should SAML assertion be signed. Signing is performed using http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

true

sign_assertion

Should SAML assertion be signed. Signing is performed using http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

false

encrypt_assertion

Should assertion be encrypted. Encryption algorithm used is: http://www.w3.org/2009/xmlenc11#aes128-gcm

false

nameid_parameter

Attribute where value of nameID is located.

N/A

name_id_format

Format of nameID attribute.

"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

additional_attribute_parameter

List of parameter names where additional attributes is located.

N/A

auth_context_parameter

Attribute where value of auth context ref is located.

"AuthnContextClassRef"

hokap_parameter

Attribute where value of certificate is located. PEM format is expected. The public key is extracted from the certifiacted and added to the KeyValue element in the assertion. Only RSA public keys are supported.

N/A

send_failed_response

If pipe fails should a SAML response be sent back to the sp.

false

Logging

On a successful authentication event is logged containing following:

  • WEB_100101

  • IDENTIFIER (user traceid)

  • DESTINATION_SERVICE_NAME (target SP entity id)

  • SOURCE_ADDRESS (user IP address)

SLO - Single logout

By default saml slo endpoints are added to the metadata template. Both POST & Redirect bindings are supported and will be injected into the metadata when requested.

Currently, only POST binding is supported for outbound request/reponse.

Data sent to PIPE

All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.

Data put into the state by this authenticator is:

  • SAMLRequest - mainly for internal use

  • requestedAuthnContextClassRefs - Multi value property of the "RequestedAuthnContext" -> "AuthnContextClassRef" if any.

  • spEntityID - entityID of the "calling" SP .

  • A subset of the sent request-headers from user-Agent.

  • All data returned from the assertion pipe

Expected data from PIPE

In order to use data from PIPE the response must contain one item. All data from that item will be available when creating SAML assertion.