SAML IDP
Last updated
Last updated
Acts as a SAML 2 Identity provider. No identification is done by this authenticator. It acts as a controller for issuing SAML assertions. Typically this authenticator is the first point of contact coming from a SAML Service provider, requesting identification.
This authenticator can be considered a start and end touch point. The main purpose is to handle SAML specifics.
Actual user identification is done elsewhere.
Authenticator type: SAMLIDP
Common Authenticator configuration can be found here.
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| Regardless of the incoming auth request. Should IDP require re-authentication. |
| |
| Value of the entity id when issuing the assertion. | N/A | |
| Section for when issuing assertion. Customized for one or more SP's. | N/A |
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| Must include at least one SP entity id. The id must be loaded and known to the system. Use | N/A | |
| ID of pipe to execute before issuing assertion. Not required. | N/A | |
| Should SAML assertion be signed. Signing is performed using http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
| |
| Should SAML assertion be signed. Signing is performed using http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 |
| |
| Should assertion be encrypted. Encryption algorithm used is: http://www.w3.org/2009/xmlenc11#aes128-gcm |
| |
| Attribute where value of nameID is located. | N/A | |
| Format of nameID attribute. |
| |
| List of parameter names where additional attributes is located. | N/A | |
| Attribute where value of auth context ref is located. |
| |
| Attribute where value of certificate is located. PEM format is expected. The public key is extracted from the certifiacted and added to the KeyValue element in the assertion. Only RSA public keys are supported. | N/A | |
| If pipe fails should a SAML response be sent back to the sp. |
|
On a successful authentication event is logged containing following:
WEB_100101
IDENTIFIER (user traceid)
DESTINATION_SERVICE_NAME (target SP entity id)
SOURCE_ADDRESS (user IP address)
By default saml slo endpoints are added to the metadata template. Both POST & Redirect bindings are supported and will be injected into the metadata when requested.
Currently, only POST binding is supported for outbound request/reponse.
All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.
Data put into the state by this authenticator is:
SAMLRequest - mainly for internal use
requestedAuthnContextClassRefs - Multi value property of the "RequestedAuthnContext" -> "AuthnContextClassRef" if any.
spEntityID - entityID of the "calling" SP .
A subset of the sent request-headers from user-Agent.
All data returned from the assertion pipe
In order to use data from PIPE the response must contain one item. All data from that item will be available when creating SAML assertion.
