Service Provider Types: SAML2


Configure Service Providers that use the SAML (Security Assertion Markup Language) 2.0 Protocol. 

General Settings

These settings describe the behavior of the interaction between the Service Provider and IDHub (acting as IDP). 

Field Description
Display Name User defined name of the Service Provider
URL Not used
Description User defined description of the Service Provider
Authentication Scheme Defines which IDP(s) that can authenticate a user for this Service Provider, and how the user can authenticate.
Type "SAML2"
Subject Primary user attribute that is used to identify the user.
Entity ID This uniquely identifies your SAML2 partner. It will be provided by the partner if you want to use SAML2
Signs Authentication Request This indicates whether the Service Provider digitally signs the Authentication Request or not
Response Signed If set to true, the response from the IDHub to the Service Provider will be signed
Assertion Signed If set to true, the assertion from the IDHub to the Service Provider will be signed
Assertion Encrypted If set to true, the assertion from the IDHub to the Service Provider will be encrypted
Encrypted Type Defines which part of the assertion is encrypted:
  • ASSERTION: The complete assertion is encrypted
  • NAMEID: Encrypts only the Name ID (subject) value in the assertion
  • ATTRIBUTES: Encrypts all the User Attributes in the assertion.
Encryption Method The algorithm used to encrypt the SAML responses send to the Service Provider. This is specified in the EncryptionMethod in the Algorithm attribute in the XML meta data provided by the Service Provider.
SLO Signed If set to true, the logout request to or from the Service Provider is signed
Default Name ID The Name ID to use when a Service Provider does not provide a name id format in the authentication request
Include X509 Certificate Includes the complete certificate in the signature.
Include X509 Alias Includes the singing certificate alias  in the signature
Include PK Name Includes the public key name in the signature.
Signature Method Define which algorithm is used to sign the assertion.
Post Profile Template A template form that is used to execute some javascript (eg. to log in) before accessing the service provider
Audience The Audience field is provided in an assertion, and is used by the Service Provider to verify if this Assertion is intended for him. This field allows for IDHub to specify a specific Audience in the assertion for this Service Provider.
If this value is not provided in IDHub, the Entity ID of the Service Provider is filled in.   
Subject Recipient Typically an URL (URI) specifying the location where to present the assertion to the Service Provider.
For example, this attribute might indicate that the assertion must be delivered to a particular network endpoint in order to prevent an intermediary from redirecting it someplace else.
IDHub Entity ID Overrides the unique identification for IDHub to that Service Provider, instead of the default.
Time to live Defines how long the provide Assertion will be valid
Digest Algorithm Defines which Digest algorithm is used to calculate the hash value that is passed as the "DigestValue" in the assertion.  This value can be used by the SP to validate the assertion.

Certificate Settings

Certificates are managed at Certificate Overview

It is still possible to import certificates without needing to leave the Service Provider screen.

Field Description
Context Defines what the certificate is used for.
  • Key - Signing: Used to sign messages to the SP
  • Key - Encryption: Used to decrypt the messages sent from the SP
  • Key - TLS: Used to initiate a secure connection (TLS) to the SP
  • Trust - Signing: Used to verify the signature of messages sent by the SP
  • Trust - Encryption: Used to encrypt the messages sent to the SP
  • Trust - TLS: Used to accept a secure connection (TLS) from the SP
Certificate Alias The alias of the certificate to use for this context.
Used From Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Trust - Encryption, Key - TLS).  
Used Until Defines until when this certificate may be used.

ACS Endpoints

This is a list of endpoints to which Assertions can be sent (AssertionConsumingService).

Field Description
Binding How the Assertion is provided to the Service Provider.  
  • HTTP Post
  • HTTP Redirect
  • HTTP Artifact
Location URL of the Endpoint
Index Index of the Endpoint (provided by the SP)
Default Defines if this is the default Assertion Endpoint.
Exactly one ACS Endpoint must be marked as default.
If the SP doesn't provide an AssertionConsumingService in the AssertionRequest, this ACS endpoint will be used.

SLO Endpoints

Endpoints where Log-out requests to the SP can be sent and received.   Both parties can initiate an SLO request.

Field Description
Binding How the SLO Request is provided to the Service Provider.  
  • HTTP Post
  • HTTP Redirect
Location URL of the Endpoint where the log-out request is sent
Response Location URL where the Log-out response is received from the SP.
Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.