SAML IdP

To learn more about how Fortified ID Access supports SAML, please click LINK.

Overview

Fortified ID Access can acts as a SAML 2 Identity provider (IdP). This is the first point of contact for a SAML SP. No identification is done by the SAML IdP, that is done by credential validators associated with the SAML IdP.

Configuration

Common Authenticator configuration can be found here.

{
"id": "auth00",
"type": "SAMLIDP",
"config": {
    "context_path": "/test/authn/chain",
    "base_path": "/test/authn",
    "force_re_auth": false,
    "idp": "aandrenidp",
    "chain": [{
        "id": "auth01",
        "required": true
    }],
    "assertion_config": [{
        "target_sp": ["https://sp.example.org/shibboleth", "https://samltest.id/saml/sp"],
        "pre_assertion_pipe": "auhtZPipe",
        "encrypt_assertion": false,
        "sign_response": false,
        "sign_assertion": true,
        "send_failed_response":false
        "name_id_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
        "nameid_parameter": "givenName",
        "additional_attribute_parameter": ["givenName", "sn", "objectClass"],
        "auth_context_parameter": "AuthnContextClassRef"
    }]
}
}

Assertion Configuration

"assertion_config": [{
    "target_sp": ["https://sp.example.org/shibboleth", "https://samltest.id/saml/sp"],
    "pre_assertion_pipe": "auhtZPipe",
    "encrypt_assertion": false,
    "sign_response": false,
    "sign_assertion": true,
    "send_failed_response":false
    "name_id_format": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
    "nameid_parameter": "givenName",
    "additional_attribute_parameter": ["givenName", "sn", "objectClass"],
    "auth_context_parameter": "AuthnContextClassRef"
}]

Logging

On authentication request event is logged containing following:

• WEB_100103("Received authentication request")

• IDENTIFIER (user traceid)

• AUTHENTICATOR_ID (config id + display_name if present)

• SOURCE_SERVICE_NAME (entity id calling SAML SP)

• SOURCE_ADDRESS (user IP address)

• CUSTOMER_IDENTIFIER (if configured)

On a successful authentication event is logged containing following:

• WEB_100101

• IDENTIFIER (user traceid)

• AUTHENTICATOR_ID (config id + display_name if present)

• SOURCE_SERVICE_NAME (entity id of target SAML SP)

• SOURCE_ADDRESS (user IP address)

• CUSTOMER_IDENTIFIER (if configured)

On a failed authentication event is logged containing following:

• WEB_100102

• IDENTIFIER (user traceid)

• AUTHENTICATOR_ID (config id + display_name if present)

• SOURCE_SERVICE_NAME (entity id of target SAML SP)

• SOURCE_ADDRESS (user IP address)

• CUSTOMER_IDENTIFIER (if configured)

SLO - Single logout

By default saml slo endpoints are added to the metadata template. Both POST & Redirect bindings are supported and will be injected into the metadata when requested.

Currently, only POST binding is supported for outbound request/reponse.

Data sent to PIPE

All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.

Data put into the state by this authenticator is:

• SAMLRequest - mainly for internal use

• requestedAuthnContextClassRefs - Multi value property of the "RequestedAuthnContext" -> "AuthnContextClassRef" if any.

• spEntityID - entityID of the "calling" SP .

• A subset of the sent request-headers from user-Agent.

• All data returned from the assertion pipe

Expected data from PIPE

In order to use data from PIPE the response must contain one item. All data from that item will be available when creating SAML assertion.