Acts as a SAML 2 Identity provider. No identification is done by this authenticator. It acts as a controller for issuing SAML assertions. Typically this authenticator is the first point of contact coming from a SAML Service provider, requesting identification.
This authenticator can be considered a start and end touch point. The main purpose is to handle SAML specifics.
Actual user identification is done elsewhere.
Authenticator type: SAMLIDP
Common Authenticator configuration can be found here.
On a successful authentication event is logged containing following:
WEB_100101
IDENTIFIER (user traceid)
DESTINATION_SERVICE_NAME (target SP entity id)
SOURCE_ADDRESS (user IP address)
By default saml slo endpoints are added to the metadata template. Both POST & Redirect bindings are supported and will be injected into the metadata when requested.
Currently, only POST binding is supported for outbound request/reponse.
All data put into the shared authentication state along with the HTTP headers are exposed and sent into the pipe.
Data put into the state by this authenticator is:
SAMLRequest - mainly for internal use
requestedAuthnContextClassRefs - Multi value property of the "RequestedAuthnContext" -> "AuthnContextClassRef" if any.
spEntityID - entityID of the "calling" SP .
A subset of the sent request-headers from user-Agent.
All data returned from the assertion pipe
In order to use data from PIPE the response must contain one item. All data from that item will be available when creating SAML assertion.
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| Name | Description | Default value | Mandatory |
|---|---|---|---|
force_re_auth
Regardless of the incoming auth request. Should IDP require re-authentication.
false
idp
Value of the entity id when issuing the assertion.
N/A
assertion_config
Section for when issuing assertion. Customized for one or more SP's.
N/A
target_sp
Must include at least one SP entity id. The id must be loaded and known to the system. Use "*" to catch all SP entity ID's.
N/A
pre_assertion_pipe
ID of pipe to execute before issuing assertion. Not required.
N/A
sign_response
Should SAML assertion be signed. Signing is performed using http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
true
sign_assertion
Should SAML assertion be signed. Signing is performed using http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
false
encrypt_assertion
Should assertion be encrypted. Encryption algorithm used is: http://www.w3.org/2009/xmlenc11#aes128-gcm
false
nameid_parameter
Attribute where value of nameID is located.
N/A
name_id_format
Format of nameID attribute.
"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
additional_attribute_parameter
List of parameter names where additional attributes is located.
N/A
auth_context_parameter
Attribute where value of auth context ref is located.
"AuthnContextClassRef"
hokap_parameter
Attribute where value of certificate is located. PEM format is expected. The public key is extracted from the certifiacted and added to the KeyValue element in the assertion. Only RSA public keys are supported.
N/A
send_failed_response
If pipe fails should a SAML response be sent back to the sp.
false
