SAML SP
About
This authenticator act as a SAML SP.
Typically used in SAML brokering scenarios when one or more methods of identification reside on remote IDP.
Configuration
Authenticator type: SAMLSPBroker
Common Authenticator configuration can be found here.
issue_as_sp_entity
When sending authn request, what is the entity id used.
N/A
target_idp_entity
The remote IDP entity id to trust.
N/A
custom_identifier
Custom identifier to be set inte the event logging entry
N/A
force_auth_request
Should the auth request force re-authentication
false
sign_algorithm
Which signature algorithm to use if signing authn-requests. Ensure it is working with the private key used. This will only affect requests sent to idp's requiring signing requests.
sign_digest_method
Which digest method to use if signing authn-requests. Ensure it is working selected signature algorithm. This will only affect requests sent to idp's requiring signing requests.
validate_in_response_to
Optional validation rule (true/false)
false
validate_audience_restrictions
Optional validation rule (true/false)
false
validate_destination
Optional validation rule (true/false)
false
validate_authn_instant
Optional validation rule (true/false)
false
validate_session_timestamp
Optional validation rule (true/false)
false
skew_time_seconds
Maximum acceptable time difference (seconds)
60
Requirements
The incoming request must be signed. Signed assertions is not validated.
Encrypted assertions are not supported.
Validation
The SAML response from the IdP is validated according to a set of rules. Some rules are mandatory and always validated, other rules are optional and can be activated in the configuration.
Mandatory validation rules
Response Issuer must match
target_idp_entityThere must be at least one valid signature present
Response status must indicate success
Response issue timestamp (not before current timestamp)
Assertion NotBefore timestamp
Assertion NotOnOrAfter timestamp
Optional validation rules
Ensure the response matches a pending request by ID
Response destination
Audience restrictions
Assertion AuthnInstant
Assertion SessionNotOnOrAfter
Logging
On a successful authentication event is logged containing the following:
WEB_100014("Authenticated using SP-broker method")
IDENTIFIER (user traceid)
SOURCE_SERVICE_NAME (entity id from the SAML response)
SOURCE_USER_NAME (name id from the issued assertion)
SOURCE_ADDRESS (user IP address)
CUSTOMER_IDENTIFIER (if configured)
SAML response requirements
When consuming and validating the response only one assertion is allowed. Either response or assertion must be signed. No signatures will produce error.
Currently, only POST binding is supported for outbound and incoming request/response.
Data exposed to global state
After successful validation, data stored in the global state are:
nameID - containing the name-id reported in the assertion.
remoteIssuer - value of the IDP entityID issuing the assertion.
All additional attributes from the assertion. Multivalued attributes are merged into a comma-separated string. FriendlyName is favoured over Name.
if an incoming attribute with Name urn:oid:2.5.4.42 and FriendlyName givenName, givenName is used as key in global state.
If no FriendlyNAme attribute is present Name is used.