SAML SP

About

This authenticator act as a SAML SP.

Typically used in SAML brokering scenarios when one or more methods of identification reside on remote IDP.

Configuration

Authenticator type: SAMLSPBroker

Common Authenticator configuration can be found here.

Name Description Default value Mandatory

Name	Description	Default value
`issue_as_sp_entity`	When sending authn request, what is the entity id used.	N/A
`target_idp_entity`	The remote IDP entity id to trust.	N/A
`custom_identifier`	Custom identifier to be set inte the event logging entry	N/A
`force_auth_request`	Should the auth request force re-authentication	false
`sign_algorithm`	Which signature algorithm to use if signing authn-requests. Ensure it is working with the private key used. This will only affect requests sent to idp's requiring signing requests.	http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
`sign_digest_method`	Which digest method to use if signing authn-requests. Ensure it is working selected signature algorithm. This will only affect requests sent to idp's requiring signing requests.	http://www.w3.org/2001/04/xmlenc#sha256

issue_as_sp_entity

When sending authn request, what is the entity id used.

N/A

target_idp_entity

The remote IDP entity id to trust.

N/A

custom_identifier

Custom identifier to be set inte the event logging entry

N/A

force_auth_request

Should the auth request force re-authentication

false

sign_algorithm

Which signature algorithm to use if signing authn-requests. Ensure it is working with the private key used. This will only affect requests sent to idp's requiring signing requests.

http://www.w3.org/2001/04/xmldsig-more#rsa-sha256

sign_digest_method

Which digest method to use if signing authn-requests. Ensure it is working selected signature algorithm. This will only affect requests sent to idp's requiring signing requests.

http://www.w3.org/2001/04/xmlenc#sha256

{
    "id": "sp",
    "type": "SAMLSPBroker",
    "config": {
        "base_path": "/saml/authn",
        "issue_as_sp_entity":"http://anvil.fortifiedid.se",
        "target_idp_entity":"https://samltest.id/saml/idp"
    }
}

Requirements

The incoming request must be signed. Signed assertions is not validated.

Encrypted assertions are not supported.

Logging

On a successful authentication event is logged containing the following:

WEB_100014("Authenticated using SP-broker method")
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (entity id from the SAML response)
SOURCE_USER_NAME (name id from the issued assertion)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (if configured)

SAML response requirements

When consuming and validating the response only one assertion is allowed. The response MUST be signed. Signature in the assertion is not validated. Encrypted assertions are not supported.

Currently, only POST binding is supported for outbound and incoming request/response.

Data exposed to global state

After successful validation, data stored in the global state are:

nameID - containing the name-id reported in the assertion.
remoteIssuer - value of the IDP entityID issuing the assertion.
All additional attributes from the assertion. Multivalued attributes are merged into a comma-separated string.

PreviousSAML IDP NextIDP Discovery Service

Last updated 9 months ago