SAML profile

This section explains how to add and configure an SAML profile.

If you have multiple SAML applications that should have the same configuration, you can configure them to use a SAML SP profile.

Note, there are some properties that cannot be configured in a SAML profile and must be configured directly on the SAML SP application. These properties are url and path.

Settings for a SAML application can come from settings on the application itself, a profile, or on the IdP object. 1. If a profile is configured, the properties of the profile object will override everything else. 2. If a profile is not configured, the application settings will apply. 3. If nothing is configured on the application, the IdP settings will be used. Important! Settings are not merged but applied as a single source of truth.

Below are the properties that can be configured for a SAML profile.

Name

Description

Default value

Mandatory

name

Used

N/A

assertion_pre_pipe

Overrides IDP default pre-pipe empty means NO pipe. IDP pipe is not used as fallback.

N/A

belongs_to_idp

entity id of allowed IDP. Only use if configuring multiple IDP's

N/A

signature_algorithm

Algorithm used for signing.

ttp://www.w3.org/2001/04/xmldsig-more#rsa-sha256

digest_algorithm

Algorithm used for digest calculation.

http://www.w3.org/2001/04/xmlenc#sha256

app_tag

JsonArray containing strings used for filtering and similar operations.

N/A

assertion_config

Parent holder for assertion configuration.

{}

assertion_config.encrypt

Whether the assertion should be encrypted. Requires encryption certificate in SP meta data

false

assertion_config.include_session_information

Include session information in the assertion (trace id).

true

assertion_config.include_session_not_on_or_after

Include the SessionNotOnOrAfter attribute.

false

assertion_config.include_remote_address

Include the client’s IP address.

false

assertion_config.sign_assertion

Whether the assertion itself should be signed.

true

assertion_config.sign_response

Whether the full response should be signed.

true

assertion_config.session_not_on_or_after_minutes

Session expiration time in minutes.

assertion_config.assertion_valid_for_no_of_minutes

Assertion validity period in minutes.

assertion_config.name_id

Configuration of the NameID element.

{}

assertion_config.name_id.format

NameID format

urn:oasis:names:tc:SAML:1.1:nameid-format:transient

assertion_config.name_id.from_parameter

State parameter containing value of Name ID

nameID

assertion_config.name_id.include_sp_name_qualifier

Whether to include SPNameQualifier.

false

assertion_config.name_id.include_name_qualifier

Whether to include NameQualifier.

false

assertion_config.attributes

Each entry in attributes describes one attribute in the assertion

N/A

assertion_config.attributes.name

Attribute name (URN or custom identifier).

N/A

assertion_config.attributes.value

Name of the state attribute holding the value.

N/A

assertion_config.attributes.name_format

Attribute name format, usually unspecified.

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

assertion_config.attributes.friendly_name

Human-readable (friendlyName) alias.

N/A

assertion_config.attributes.friendly_name.required

Indicates if the attribute is required. If true value may be empty

false

assertion_config.attributes.include_if_empty

Include the attribute even if the source value is missing value

false

{
    "name": "saml_profile_1",
    "display_name": "Example SAML Application Profile",
    "description": "Sample configuration for returning a SAML response",
    "assertion_pre_pipe": "validateUserAttributes",
    "belongs_to_idp": "https://idp.example.com",
    "signature_algorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
    "digest_algorithm": "http://www.w3.org/2001/04/xmlenc#sha256",
    "app_tag":["tag1","tag2"],
    "static_audience": "https://audience.example.com",
    "assertion_config": {
        "encrypt": true,
        "name_id": {
            "format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
            "from_parameter": "userPrincipalName",
            "include_sp_name_qualifier": true,
            "include_name_qualifier": false
        },
        "include_session_information": true,
        "include_session_not_on_or_after": true,
        "include_remote_address": false,
        "sign_assertion": true,
        "sign_response": true,
        "session_not_on_or_after_minutes": 120,
        "assertion_valid_for_no_of_minutes": 5,
        "attributes": [
            {
                "name": "givenName",
                "value": "first_name",
                "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
                "friendly_name": "First Name",
                "required": false
            },
            {
                "name": "sn",
                "value": "last_name",
                "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
                "friendly_name": "Last Name",
                "required": true
            },
            {
                "name": "mail",
                "value": "e-mail",
                "name_format": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
                "friendly_name": "Email"
            }
        ]
    }
}

PreviousSAML application NextOIDC