SAML SP
About
This authenticator act as a SAML SP.
Typically used in SAML brokering scenarios when one or more methods of identification reside on remote IDP.
Configuration
Authenticator type: SAMLSPBroker
Common Authenticator configuration can be found here.
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| When sending authn request, what is the entity id used. | N/A | |
| The remote IDP entity id to trust. | N/A | |
| Custom identifier to be set inte the event logging entry | N/A |
Requirements
The incoming request must be signed. Signed assertions is not validated.
Encrypted assertions are not supported.
Logging
On a successful authentication event is logged containing the following:
WEB_100014("Authenticated using SP-broker method")
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (entity id from the SAML response)
SOURCE_USER_NAME (name id from the issued assertion)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (if configured)
SAML response requirements
When consuming and validating the response only one assertion is allowed. The response MUST be signed. Signature in the assertion is not validated. Encrypted assertions are not supported.
Currently, only POST binding is supported for outbound and incoming request/response.
Data exposed to global state
After successful validation, data stored in the global state are:
nameID - containing the name-id reported in the assertion.
remoteIssuer - value of the IDP entityID issuing the assertion.
All additional attributes from the assertion. Multivalued attributes are merged into a comma-separated string.
Last updated