SAML SP

About

This authenticator act as a SAML SP.

Typically used in SAML brokering scenarios when one or more methods of identification reside on remote IDP.

Configuration

Authenticator type: SAMLSPBroker

Common Authenticator configuration can be found .

{
    "id": "sp",
    "type": "SAMLSPBroker",
    "config": {
        "base_path": "/saml/authn",
        "issue_as_sp_entity":"http://anvil.fortifiedid.se",
        "target_idp_entity":"https://samltest.id/saml/idp"
    }
}

Requirements

The incoming request must be signed. Signed assertions is not validated.

Encrypted assertions are not supported.

Validation

The SAML response from the IdP is validated according to a set of rules. Some rules are mandatory and always validated, other rules are optional and can be activated in the configuration.

Mandatory validation rules

Response Issuer must match target_idp_entity
There must be at least one valid signature present
Response status must indicate success
Response issue timestamp (not before current timestamp)
Assertion NotBefore timestamp
Assertion NotOnOrAfter timestamp

Optional validation rules

Ensure the response matches a pending request by ID
Response destination
Audience restrictions
Assertion AuthnInstant
Assertion SessionNotOnOrAfter

Logging

On a successful authentication event is logged containing the following:

WEB_100014("Authenticated using SP-broker method")
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (entity id from the SAML response)
SOURCE_USER_NAME (name id from the issued assertion)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (if configured)

SAML response requirements

When consuming and validating the response only one assertion is allowed. Either response or assertion must be signed. No signatures will produce error.

Currently, only POST binding is supported for outbound and incoming request/response.

Data exposed to global state

After successful validation, data stored in the global state are:

nameID - containing the name-id reported in the assertion.
remoteIssuer - value of the IDP entityID issuing the assertion.
All additional attributes from the assertion. Multivalued attributes are merged into a comma-separated string. FriendlyName is favoured over Name.
- if an incoming attribute with Name urn:oid:2.5.4.42 and FriendlyName givenName, givenName is used as key in global state.
- If no FriendlyNAme attribute is present Name is used.

PreviousSAML IDP NextIDP Discovery Service

About

This authenticator act as a SAML SP.

Typically used in SAML brokering scenarios when one or more methods of identification reside on remote IDP.

Configuration

Authenticator type: SAMLSPBroker

Common Authenticator configuration can be found .

{
    "id": "sp",
    "type": "SAMLSPBroker",
    "config": {
        "base_path": "/saml/authn",
        "issue_as_sp_entity":"http://anvil.fortifiedid.se",
        "target_idp_entity":"https://samltest.id/saml/idp"
    }
}

Requirements

The incoming request must be signed. Signed assertions is not validated.

Encrypted assertions are not supported.

Validation

The SAML response from the IdP is validated according to a set of rules. Some rules are mandatory and always validated, other rules are optional and can be activated in the configuration.

Mandatory validation rules

Response Issuer must match target_idp_entity
There must be at least one valid signature present
Response status must indicate success
Response issue timestamp (not before current timestamp)
Assertion NotBefore timestamp
Assertion NotOnOrAfter timestamp

Optional validation rules

Ensure the response matches a pending request by ID
Response destination
Audience restrictions
Assertion AuthnInstant
Assertion SessionNotOnOrAfter

Logging

On a successful authentication event is logged containing the following:

WEB_100014("Authenticated using SP-broker method")
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (entity id from the SAML response)
SOURCE_USER_NAME (name id from the issued assertion)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (if configured)

SAML response requirements

When consuming and validating the response only one assertion is allowed. Either response or assertion must be signed. No signatures will produce error.

Currently, only POST binding is supported for outbound and incoming request/response.

Data exposed to global state

After successful validation, data stored in the global state are:

nameID - containing the name-id reported in the assertion.
remoteIssuer - value of the IDP entityID issuing the assertion.
All additional attributes from the assertion. Multivalued attributes are merged into a comma-separated string. FriendlyName is favoured over Name.
- if an incoming attribute with Name urn:oid:2.5.4.42 and FriendlyName givenName, givenName is used as key in global state.
- If no FriendlyNAme attribute is present Name is used.

here

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

http://www.w3.org/2001/04/xmlenc#sha256