SAML SP

About

This authenticator act as a SAML SP.

Typically used in SAML brokering scenarios when one or more methods of identification reside on remote IDP.

Configuration

Authenticator type: SAMLSPBroker

Common Authenticator configuration can be found here.

Name

Description

Default value

Mandatory

{
    "id": "sp",
    "type": "SAMLSPBroker",
    "config": {
        "base_path": "/saml/authn",
        "issue_as_sp_entity":"http://anvil.fortifiedid.se",
        "target_idp_entity":"https://samltest.id/saml/idp"
    }
}

Requirements

The incoming request must be signed. Signed assertions is not validated.

Encrypted assertions are not supported.

Logging

On a successful authentication event is logged containing the following:

WEB_100014("Authenticated using SP-broker method")
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (entity id from the SAML response)
SOURCE_USER_NAME (name id from the issued assertion)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (if configured)

SAML response requirements

When consuming and validating the response only one assertion is allowed. The response MUST be signed. Signature in the assertion is not validated. Encrypted assertions are not supported.

Currently, only POST binding is supported for outbound and incoming request/response.

Data exposed to global state

After successful validation, data stored in the global state are:

nameID - containing the name-id reported in the assertion.
remoteIssuer - value of the IDP entityID issuing the assertion.
All additional attributes from the assertion. Multivalued attributes are merged into a comma-separated string.

PreviousSAML IDP NextIDP Discovery Service

Last updated 1 year ago