Configure Service Providers that use the SAML (Security Assertion Markup Language) 2.0 Protocol.
These settings describe the behavior of the interaction between the Service Provider and IDHub (acting as IDP).
|Display Name||User defined name of the Service Provider|
|Description||User defined description of the Service Provider|
|Authentication Scheme||Defines which IDP(s) that can authenticate a user for this Service Provider, and how the user can authenticate.|
|Subject||Primary user attribute that is used to identify the user.|
|Entity ID||This uniquely identifies your SAML2 partner. It will be provided by the partner if you want to use SAML2|
|Signs Authentication Request||This indicates whether the Service Provider digitally signs the Authentication Request or not|
|Response Signed||If set to true, the response from the IDHub to the Service Provider will be signed|
|Assertion Signed||If set to true, the assertion from the IDHub to the Service Provider will be signed|
|Assertion Encrypted||If set to true, the assertion from the IDHub to the Service Provider will be encrypted|
|Encrypted Type||Defines which part of the assertion is encrypted:
|Encryption Method||The algorithm used to encrypt the SAML responses send to the Service Provider. This is specified in the EncryptionMethod in the Algorithm attribute in the XML meta data provided by the Service Provider.
|SLO Signed||If set to true, the logout request to or from the Service Provider is signed|
|Default Name ID||The Name ID to use when a Service Provider does not provide a name id format in the authentication request|
|Include X509 Certificate||Includes the complete certificate in the signature.|
|Include X509 Alias||Includes the singing certificate alias in the signature|
|Include PK Name||Includes the public key name in the signature.|
|Signature Method||Define which algorithm is used to sign the assertion.
|Audience||The Audience field is provided in an assertion, and is used by the Service Provider to verify if this Assertion is intended for him. This field allows for IDHub to specify a specific Audience in the assertion for this Service Provider.
If this value is not provided in IDHub, the Entity ID of the Service Provider is filled in.
|Subject Recipient||Typically an URL (URI) specifying the location where to present the assertion to the Service Provider.
For example, this attribute might indicate that the assertion must be delivered to a particular network endpoint in order to prevent an intermediary from redirecting it someplace else.
|IDHub Entity ID||Overrides the unique identification for IDHub to that Service Provider, instead of the default.|
Certificates are managed at Certificate Overview.
It is still possible to import certificates without needing to leave the Service Provider screen.
|Context||Defines what the certificate is used for.
|Certificate Alias||The alias of the certificate to use for this context.|
|Used From||Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Trust - Encryption, Key - TLS).|
|Used Until||Defines until when this certificate may be used.
This is a list of endpoints to which Assertions can be sent (AssertionConsumingService).
|Binding||How the Assertion is provided to the Service Provider.
|Location||URL of the Endpoint|
|Index||Index of the Endpoint (provided by the SP)|
|Default||Defines if this is the default Assertion Endpoint.
Exactly one ACS Endpoint must be marked as default.
If the SP doesn't provide an AssertionConsumingService in the AssertionRequest, this ACS endpoint will be used.
Endpoints where Log-out requests to the SP can be sent and received. Both parties can initiate an SLO request.
|Binding||How the SLO Request is provided to the Service Provider.
|Location||URL of the Endpoint where the log-out request is sent
|Response Location||URL where the Log-out response is received from the SP.|