SAML SP
About
This authenticator act as a SAML SP.
Typically used in SAML brokering scenarios when one or more methods of identification reside on remote IDP.
Configuration
Common Authenticator configuration can be found here.
issue_as_sp_entity
When sending authn request, what is the entity id used.
N/A
target_idp_entity
The remote IDP entity id to trust.
N/A
custom_identifier
Custom identifier to be set inte the event logging entry
N/A
force_auth_request
Should the auth request force re-authentication
false
sign_algorithm
Which signature algorithm to use if signing authn-requests. Ensure it is working with the private key used. This will only affect requests sent to idp's requiring signing requests.
sign_digest_method
Which digest method to use if signing authn-requests. Ensure it is working selected signature algorithm. This will only affect requests sent to idp's requiring signing requests.
Requirements
The incoming request must be signed. Signed assertions is not validated.
Encrypted assertions are not supported.
Logging
On a successful authentication event is logged containing the following:
WEB_100014("Authenticated using SP-broker method")
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (entity id from the SAML response)
SOURCE_USER_NAME (name id from the issued assertion)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (if configured)
SAML response requirements
When consuming and validating the response only one assertion is allowed. Either response or assertion must be signed. No signatures will produce error.
Currently, only POST binding is supported for outbound and incoming request/response.
Data exposed to global state
After successful validation, data stored in the global state are:
nameID - containing the name-id reported in the assertion.
remoteIssuer - value of the IDP entityID issuing the assertion.
All additional attributes from the assertion. Multivalued attributes are merged into a comma-separated string.