LogoLogo
HomeIntegrityControlSolutionsManagement Center
3.0.1 - Access
3.0.1 - Access
  • Introduction
  • The Service
    • Overview
    • About this release
      • Release notes
      • Breaking changes
    • Architecture
      • Modules
      • Folder structure
      • Startup
    • Getting started
    • Installation
      • Container
      • Linux
      • Windows
    • Operations
      • Configuration
      • Metrics
      • Health check
      • Logging
        • System logging
        • Event logging
      • SBOM & license material
  • Modules
    • External modules
    • Internal modules
      • SAMLModule
      • OIDC
        • OpenID Configuration endpoint
        • JWKS endpoint
        • Authorization endpoint
        • Token endpoint
          • Authorization code
          • Refresh token
        • User info endpoint
        • Introspection endpoint
        • End session endpoint
  • Configuration reference
    • Introduction
    • Terms and abbreviations
    • Property expansion
    • File inclusion
    • Secrets management
    • Examples
  • Authenticators
    • Introduction
    • Common configuration
    • Web Authenticator API
    • Flow control
      • Selector
      • AuthController
      • Chain
      • Impersonate
      • Impersonate With Search
    • Credential validators
      • SITHS eID
        • With QR or "app-switch"
      • BankID
        • On another device
        • On mobile device
      • Freja e-ID
        • With user input
        • With QR or "app-switch"
      • Mobile ID
        • With QR or "app-switch"
      • Header based
        • Certificate
      • Pointsharp Net iD Access server
        • On another device
        • On same device
      • Integrated windows login, IWA
      • User name & password
      • User lookup
      • OTP validator
      • Passkey validator
      • Exposed metrics
      • Test
        • Static SAML
        • No operation
    • Protocol managers
      • SAML
        • SAML IDP
        • SAML SP
        • IDP Discovery Service
      • OIDC
        • Authorization Code Flow
        • Implicit Flow
        • OIDC Relying Party
    • UI
Powered by GitBook
On this page
  • About
  • Configuration
  • Requirements
  • Logging
  • SAML response requirements
  • Data exposed to global state
  1. Authenticators
  2. Protocol managers
  3. SAML

SAML SP

PreviousSAML IDPNextIDP Discovery Service

About

This authenticator act as a SAML SP.

Typically used in SAML brokering scenarios when one or more methods of identification reside on remote IDP.

Configuration

Authenticator type: SAMLSPBroker

Common Authenticator configuration can be found .

Name
Description
Default value
Mandatory

issue_as_sp_entity

When sending authn request, what is the entity id used.

N/A

target_idp_entity

The remote IDP entity id to trust.

N/A

custom_identifier

Custom identifier to be set inte the event logging entry

N/A

force_auth_request

Should the auth request force re-authentication

false

sign_algorithm

Which signature algorithm to use if signing authn-requests. Ensure it is working with the private key used. This will only affect requests sent to idp's requiring signing requests.

sign_digest_method

Which digest method to use if signing authn-requests. Ensure it is working selected signature algorithm. This will only affect requests sent to idp's requiring signing requests.

{
    "id": "sp",
    "type": "SAMLSPBroker",
    "config": {
        "base_path": "/saml/authn",
        "issue_as_sp_entity":"http://anvil.fortifiedid.se",
        "target_idp_entity":"https://samltest.id/saml/idp"
    }
}

Requirements

The incoming request must be signed. Signed assertions is not validated.

Encrypted assertions are not supported.

Logging

On a successful authentication event is logged containing the following:

  • WEB_100014("Authenticated using SP-broker method")

  • IDENTIFIER (user traceid)

  • SOURCE_SERVICE_NAME (entity id from the SAML response)

  • SOURCE_USER_NAME (name id from the issued assertion)

  • SOURCE_ADDRESS (user IP address)

  • CUSTOMER_IDENTIFIER (if configured)

SAML response requirements

When consuming and validating the response only one assertion is allowed. Either response or assertion must be signed. No signatures will produce error.

Currently, only POST binding is supported for outbound and incoming request/response.

Data exposed to global state

After successful validation, data stored in the global state are:

  • nameID - containing the name-id reported in the assertion.

  • remoteIssuer - value of the IDP entityID issuing the assertion.

  • All additional attributes from the assertion. Multivalued attributes are merged into a comma-separated string.

here
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
http://www.w3.org/2001/04/xmlenc#sha256