SAMLSP
Web-applications provided by Fortified ID uses this module for authentication instead of providing their own.
Last updated
Web-applications provided by Fortified ID uses this module for authentication instead of providing their own.
Last updated
By configuring this module in conjunction with a web application it turns the web application into a SAML SP.
POST binding only
Unsigned auth requests
Signed logout requests (only supported if IDP meta data includes SLO)
The application using the SP provides functionality under "/portal". See example in configuration below.
Module name: SAMLSP
Note that the configuration must be inclosed by an AuthN module configuration.
When configuring make sure the application and this module shares http uri.
Name | Desciption | Default | Mandatory |
---|---|---|---|
In the config section a sign key must be defined for signing messages. Currently only logout requests will be signed. The sign keys resides in keystore property within the sign_ref array-property.
Metadata is generated at startup and saved to a location defined by the configuration. Metadata can also be retrieved using the same URL defined in AssertionConsumerService location by adding /metadata.
Example:
The meta data template AssertionConsumerService has the value http://localhost:8090/portal/authn/login for the location. Metadata will be available on http://localhost:8090/portal/authn/login/metadata
Changes in metadata require a reboot.
Meta data is consumed using a file specified in the configuration or defining an URL.
URL or path is defined in the metadata property residing in the config property
Use either url OR path.
When consuming data from URL data is cached as fallback for later reloading and/or restarting. When cache is missing, system will try to fetch every minute. Log entries are written when remote metadata fails.
Meta data must be in the format of a EntityDescriptor as top element and must include a IDPSSODescriptor.
SLO is supported if initiated from the "sp application" not by the IDP.
Attached metadata template can be used as a bare minimum.
Name | Description | Default value | Mandatory |
---|---|---|---|
Name | Description | Default value | Mandatory |
---|---|---|---|
id
Used to reference from external configuration objects when needed
N/A
type
Name of the implementation. Must be "SAMLSP"
N/A
context_path
URL where authentication is done.
N/A
success_location
Where to send user agent after successful authentication.
N/A
metadata_output_directory
Where to store the metadata after startup
<system_root>
entity_id
The entity ID used in the federation. Overrides the value defined in metadata template.
N/A
logout_location
Where to send user agent after successful logout
system default page
internal_http_destination
When loading meta data from a HTTP location, the name of internal HTTP client module handling the outbound request.
default
metadata_cache
When loading meta data from a HTTP location, where to cache the result.
"." (working directory)
path
Location of the key store
N/A
password
Key-store password
N/A
alias
Alias to use in the key-store
N/A
key_password
Password to the private key
N/A
url
Full http url
N/A
path
Full file path
N/A