SAML application
This section explains how to manage a SAML trusted application.
When a SAML SP is added to Fortified ID Access, it is represented as a SAML trusted application. On the SAML application object, you specify where the metadata is located, what assertion data to needed, whether a profile should be used, etc.
A SAML application relies on metadata configuration to establish trust. Valid metadata is the minimum requirement. Each metadata element may also specify custom settings to enable tailored behaviour.
Using configuration, the SAML application object can control:
Metadata (names, description, URL, IdP affiliation).
Cryptography (signing and digest algorithms, encryption of assertions).
Session handling (timeouts, session information, client IP address).
NameID handling (format, source parameters, qualifiers).
Attributes (which attributes are returned, their format, requirements, and types).
This allows each application to precisely define how its SAML Response is constructed and returned.
Note. If you have several SAML applications that should have similar configuration, you can use SAML profiles. Click the following link for more information about SAML Profiles.
Below are the properties that can be configured for a SAML application.
url
URL location of metadata
N/A
path
File path to metadata
N/A
assertion_pre_pipe
Overrides IDP default prepipe empty means NO pipe. IDP pipe is not used as fallback.
N/A
belongs_to_idp
entity id of allowed IDP. Only use if configuring multiple IDP's
N/A
signature_algorithm
Algorithm used for signing.
ttp://www.w3.org/2001/04/xmldsig-more#rsa-sha256
static_audience
Overrides SP audience.
N/A
include_entity_id
If multiple entities are in meta data. Array of entity id's to trust.
N/A
exclude_entity_id
If multiple entities are in meta data. Array of entity id's to filter out. Settings this will override include_entity_id.
N/A
profile
Name of a SAML application profile. Settings this will render local app-settings useless.
N/A
app_tag
JsonArray containing strings used for filtering and similar operations.
N/A
assertion_config
Parent holder for assertion configuration.
{}
assertion_config.encrypt
Whether the assertion should be encrypted. Requires encryption certificate in SP meta data
false
assertion_config.include_session_information
Include session information in the assertion (trace id).
true
assertion_config.include_session_not_on_or_after
Include the SessionNotOnOrAfter attribute.
false
assertion_config.include_remote_address
Include the client’s IP address.
false
assertion_config.sign_assertion
Whether the assertion itself should be signed.
true
assertion_config.sign_response
Whether the full response should be signed.
true
assertion_config.session_not_on_or_after_minutes
Session expiration time in minutes.
60
assertion_config.assertion_valid_for_no_of_minutes
Assertion validity period in minutes.
2
assertion_config.name_id
Configuration of the NameID element.
{}
assertion_config.name_id.format
NameID format
urn:oasis:names:tc:SAML:1.1:nameid-format:transient
assertion_config.name_id.from_parameter
State parameter containing value of Name ID
nameID
assertion_config.name_id.include_sp_name_qualifierWhether to include SPNameQualifier.
false
assertion_config.name_id.include_name_qualifierWhether to include NameQualifier.
false
assertion_config.attributes
Each entry in attributes describes one attribute in the assertion
N/A
assertion_config.attributes.name
Attribute name (URN or custom identifier).
N/A
assertion_config.attributes.value
Name of the state attribute holding the value.
N/A
assertion_config.attributes.name_format
Attribute name format, usually unspecified.
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
assertion_config.attributes.friendly_name
Human-readable (friendlyName) alias.
N/A
assertion_config.attributes.required
Indicates if the attribute is required. If true value may be empty
false
assertion_config.attributes.include_if_empty
Include the attribute even if the source value is missing value
false
{
"id": "saml_trust_1",
"display_name": "Example SAML Application",
"description": "Sample configuration for returning a SAML response",
"url": "https://sp.example.com/sso",
"assertion_pre_pipe": "validateUserAttributes",
"belongs_to_idp": "https://idp.example.com",
"signature_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"digest_algorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
"static_audience": "https://audience.example.com",
"app_tag":["tag1","tag2"],
"include_entity_id": [
"https://trusted-sp-1.com",
"https://trusted-sp-2.com"
],
"exclude_entity_id": [
"https://untrusted-sp.com"
],
"assertion_config": {
"encrypt": true,
"name_id": {
"format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"from_parameter": "userPrincipalName",
"include_sp_name_qualifier": true,
"include_name_qualifier": false
},
"include_session_information": true,
"include_session_not_on_or_after": true,
"include_remote_address": false,
"sign_assertion": true,
"sign_response": true,
"session_not_on_or_after_minutes": 120,
"assertion_valid_for_no_of_minutes": 5,
"attributes": [
{
"name": "givenName",
"value": "firstName",
"name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"friendly_name": "First Name",
"required": false
},
{
"name": "sn",
"value": "surName",
"name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"friendly_name": "Last Name",
"required": true
},
{
"name": "mail",
"value": "e-mail",
"name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"friendly_name": "Email"
}
]
}
}{
"id": "saml_trust_2",
"display_name": "Fortified ID Portal SAML SP",
"description": "SAML SP configuration for Fortified ID Portal",
"url": "https://localhost:8445/portal/authn/login/metadata",
"profile": "saml_profile_generic"
}