SAML IDP
Last updated
Last updated
Acts as a SAML 2 Identity provider. No identification is done by this authenticator. It acts as a controller for issuing SAML assertions. Typically this authenticator is the first point of contact coming from a SAML Service provider, requesting identification.
This authenticator can be considered a start and end touch point. The main purpose is to handle SAML specifics.
Actual user identification is done elsewhere.
Authenticator type: SAMLIDP
Common Authenticator configuration can be found here.
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| Regardless of the incoming auth request. Should IDP require re-authentication. |
| |
| Value of the entity id when issuing the assertion. | N/A | |
| Section for when issuing assertion. Customized for one or more SP's. | N/A |
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| Must include at least one SP entity id. The id must be loaded and known to the system. Use | N/A | |
| ID of pipe to execute before issuing assertion. Not required. | N/A | |
| Should SAML assertion be signed. Signing is performed using http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
| |
| Should SAML assertion be signed. Signing is performed using http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
| |
| Should assertion be encrypted. Encryption algorithm used is: http://www.w3.org/2009/xmlenc11#aes128-gcm |
| |
| Attribute where value of nameID is located. | N/A | |
| Format of nameID attribute. |
| |
| List of parameter names where additional attributes is located. | N/A | |
| Attribute where value of auth context ref is located. |
| |
| Attribute where value of certificate is located. PEM format is expected. The public key is extracted from the certifiacted and added to the KeyValue element in the assertion. Only RSA public keys are supported. | N/A | |
| If pipe fails should a SAML response be sent back to the sp. |
|
On a successful authentication event is logged containing following:
WEB_100101
IDENTIFIER (user traceid)
DESTINATION_SERVICE_NAME (target SP entity id)
SOURCE_ADDRESS (user IP address)
By default saml slo endpoints are added to the metadata template. Both POST & Redirect bindings are supported and will be injected into the metadata when requested.
Currently, only POST binding is supported for outbound request/reponse.
All data put into the shared authentication state along with exposed HTTP headers and "remoteAddress".
SAMLRequest - mainly for internal use
RelayState (if any) - mainly for internal use
Signature (if any) - mainly for internal use
httpMethod - mainly for internal use
requestedAuthnContextClassRefs - mainly for internal use
firstKnownLogin - manily for internal use
spEntityID
isPassive - mainly for internal use
assertedDestination - mainly for internal use
All data returned from the assertion pipe
In order to use data from PIPE the response must contain one item. All data from that item will be available when creating SAML assertion.
References made to data not present will result in omitting data in SAML assertion for additional attributes.
Missing data for nameID will cause the flow to fail unless nameID is configured to be transient.
