IdP Proxy - Generic (SAMLSPBroker)

Scenario

If you have an authentication selector in Fortified ID Access that already integrates with methods such as Swedish BankID, Active Directory, or other identity providers, and you want to add authentication methods from an external IdP as an additional option, this use case will guide you through the process.

When a user selects The external IdP during sign-in, they will be redirected for authentication and then returned to Fortified ID Access upon successful login. In this scenario, we will append the default installation with the authentication method provided by the external IdP.

In this use case:

Fortified ID Access will act as the bridge/proxy between application and External IdP
- Fortified ID Access will act as a SAML SP to External SAML IdP
- Fortified ID Access will act as a SAML IdP to SAML SP application

Prerequisite

This use case assumes that you have good knowledge of the product in question.
Fortified ID Access installed and configured with the default configuration
You need access to the External IdP

Install and prepare configuration

Add a Trusted Application to the external IdP, by referring the url or file-path. Note, the server might not start if not performed correctly.
Upload the following metadata template as a resource.
Add an authenticator with the following configuration.

{
  "id": "samlspbroker",
  "type": "SAMLSPBroker",
  "description": "This authenticator act as a SAML SP.",
  "config": {
    "base_path": "${globals.default_login_suffix}",
    "issue_as_sp_entity": "${globals.samlspbroker_spentityid}",
    "target_idp_entity": "${globals.samlspbroker_idpentityid}"
  },
  "display_name": "SAMLSPBroker 1"
}

Append you globals with the following parameters and adjust them according to you needs

{
  "samlspbroker_template": "${system.customer_home}/resources/fortifiedid_samlspbroker_template.xml",
  "samlspbroker_metadata_id": "samlspbroker",
  "samlspbroker_spentityid": "${globals.default_login_location}/samlspbroker",
  "samlspbroker_idpentityid": "THIS_IS_THE_ENTITYID_OF_THE_EXTERNAL_IDP"
}

Append the translations file with the following translation

{
  "samlspbroker_label": "External IdP"
}

Append the selector with at reference to the new authenticator by appending this block to the default selector

{
    "id": "12",
    "target": "samlspbroker",
    "label": "samlspbroker_label",
    "logo": "assets/svg/bankid.svg"
}

Append the SAML Module with the new SAML SP configuration

{
  "id": "${globals.samlspbroker_metadata_id}",
  "metadata_file_path": "${globals.samlspbroker_template}",
  "sign_ref": [
    {
      "keystore": {
        "key_password": "${globals.default_keystore_password}",
        "password": "${globals.default_keystore_password}",
        "path": "${globals.default_saml_keystore}"
      }
    }
  ]
}

Restart the Access service
Download the metadata for the SAML-SP from https://<hostname>/saml/metadata/samlspbroker and configure the external IdP to trust it.

Test the configuration

Browse to a site protected by the Access server. Optionally the default login url https://localhost:8443/access/authn/samllogin might be used.
The selector should now be displayed, including the new option for "External IdP".
Select "External IdP"
You will be redirected to the external IdP for authentication
After a successful authentication you will be redirected back to the Access server and finally to the selected application or the Fortified ID test application.

PreviousMicrosoft Entra ID (SAMLSPBroker)NextCertificate-Based Authentication

Last updated 23 hours ago