SAMLSP

Web-applications provided by Fortified ID uses this module for authentication instead of providing their own.

By configuring this module in conjunction with a web application it turns the web application into a SAML SP.

Supported features

POST binding only
Unsigned auth requests
Signed logout requests (only supported if IDP meta data includes SLO)

Example:

The application using the SP provides functionality under "/portal". See example in configuration below.

Configuration

Module name: SAMLSP

Note that the configuration must be inclosed by an AuthN module configuration.

When configuring make sure the application and this module shares http uri.

Name

Desciption

Default

Mandatory

id

Used to reference from external configuration objects when needed

N/A

type

Name of the implementation. Must be "SAMLSP"

N/A

context_path

URL where authentication is done.

N/A

success_location

Where to send user agent after successful authentication.

N/A

metadata_output_directory

Where to store the metadata after startup

<system_root>

entity_id

The entity ID used in the federation. Overrides the value defined in metadata template.

N/A

logout_location

Where to send user agent after successful logout

system default page

internal_http_destination

When loading meta data from a HTTP location, the name of internal HTTP client module handling the outbound request.

default

metadata_cache

When loading meta data from a HTTP location, where to cache the result.

"." (working directory)

{
    "id": "<add_uniuqe_id>",
    "type": "SAMLSP",
    "metadata_cache": "${system.customer_home}/samlcache",
    "config": {
        "context_path": "/<fortifiedid_app>/authn/login",
        "success_location": "/<fortifiedid_app>/",
        "logout_location": "/<fortifiedid_app>/logged_out",
        "metadata_output_directory": "${system.customer_home}/resources/",
        "metadata": {
            "url": "https://<fortifiedid_access_servername>/saml/metadata/idp"
        },
        "entity_id": "https://<fortifiedid_app>.fortifiedid.se",
        "metadata_file_path": "<path_to_meta_data_template>",
        "sign_ref": [
            {
                "keystore": {
                    "path": "<path_to_keystore>",
                    "password": "<password_to_key_store>",
                    "alias": "<alias_in_key_store>",
                    "key_password": "<password_to_private_key_in_key_store>"
                }
            }
        ]
    }
}

Sign keys configuration

In the config section a sign key must be defined for signing messages. Currently only logout requests will be signed. The sign keys resides in keystore property within the sign_ref array-property.

Name

Description

Default value

Mandatory

path

Location of the key store

N/A

password

Key-store password

N/A

alias

Alias to use in the key-store

N/A

key_password

Password to the private key

N/A

Metadata generation

Metadata is generated at startup and saved to a location defined by the configuration. Metadata can also be retrieved using the same URL defined in AssertionConsumerService location by adding /metadata.

Example:

Changes in metadata require a reboot.

Metadata consumption

Meta data is consumed using a file specified in the configuration or defining an URL.

URL or path is defined in the metadata property residing in the config property

Name

Description

Default value

Mandatory

url

Full http url

N/A

path

Full file path

N/A

Use either url OR path.

When consuming data from URL data is cached as fallback for later reloading and/or restarting. When cache is missing, system will try to fetch every minute. Log entries are written when remote metadata fails.

Meta data must be in the format of a EntityDescriptor as top element and must include a IDPSSODescriptor.

SAML log out

SLO is supported if initiated from the "sp application" not by the IDP.

Template example

Attached metadata template can be used as a bare minimum.

PreviousSub modules

Last updated 5 months ago