Identity Provider Types: SAML2

Follow

Introduction

Configure Identity Providers that use the SAML (Security Assertion Markup Language) 2.0 Protocol to authenticate and authorize users.  

IDHub will act as a Service Provider when sending an Authentication Request to the Identity Provider.

General Settings

Field Description
Display Name User defined name of the Identity Provider
URL Not used, strictly informational
Description User defined description of the Identity Provider
Type "SAML2"
Subject Attribute that is used to identify the Subject
Entity ID This uniquely identifies your SAML2 partner. It will be provided by the partner if you want to use SAML2
Authentication Request Signed This indicates whether to digitally sign the Authentication Request or not. This requires a "Key Signing" certificate to be added.
SSO Post Location EndPoint of the Identity Provider, where the Authentication Request is sent.
SLO Signed
Defines if the SLO (Single Log Out) request to the IDP is signed. Requires a "Key Signing" certificate to be added.
Include X509 Certificate Includes the complete certificate in the signature.
Include X509 Alias Includes the singing certificate alias in the signature
Include PK Alias
Includes the public key name in the signature.
Signature Method Define which algorithm is used to sign the Authentication Request.
Post Profile Template A template form that is used to execute some javascript (eg. to log in) before accessing the Identity Provider
Artifact Resolve Location Optional. In this alternative approach, Identity Provider will make the assertion available on this URL. IDHub will go to this location to get the assertion, rather than that the assertion is passed via the client.
Audience The Audience field is provided in an assertion, and is verified by IDHub.  If the audience matches, then the assertion can be accepted.
If no value is provided, the SAML Entity ID (provided under "IDHub Entity ID" is used).
Subject Recipient Needs to correspond to the Subject Recipient in the assertion.
If no value is provided, the Subject Recipient is not validated.
Assertion consumer Service Index

This value is filled in the AssertionConsumingServiceIndex in an AuthenticationRequest

Context: Currently IDHub functions as a singular endpoint for all assertions. But in some cases one IDP can serve multiple IDHub instances (eg. ACC/PRD environment) which requires us to specify an assertion endpoint (via the index).

Add extensions to Authentication Request Will add the Extension Elements to an Authentication request).
IDHub Entity ID The Entity ID that identifies IDHub at the IDP. (Note: this replaces a previous general setting "SAML Entity ID")

Certificates

Certificates are managed at Certificate Overview

It is still possible to import certificates without needing to leave the Identity Provider screen.

Field Description
Context Defines what the certificate is used for.
  • Key - Signing: Used to sign messages to the IDP
  • Key - Encryption: Used to decrypt the messages (assertions) sent from the IDP
  • Key - TLS: Used to initiate a secure connection (TLS) to the IDP
  • Trust - Signing: Used to verify the signature of messages sent by the IDP
  • Trust - TLS: Used to accept a secure connection (TLS) from the IDP
Certificate Alias
The alias of the certificate to use for this context.
Used From Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Key - TLS).  
Used Until Defines until when this certificate may be used.

SLO Endpoints

A list of endpoints where the SLO (Single Log-Out) requests can be sent.

Field Description
Binding How the SLO Request is provided.
  • HTTP Post
  • HTTP Redirect
Location URL of the Endpoint where the log-out request is sent
Response Location URL where the Log-out response is received from the IDP.

Attribute Consuming Services

Attribute Consuming Services define which set(s) of User Attributes are being requested from the Identity Provider.

This information is optional (if there are no Attribute Consuming Services defined: all attributes will be requested), but it's recommended for privacy reasons.

It is similar in functionality and purpose as "scopes" in OpenIDConnect

Field Description
Index The numerical identifier of the Attribute Set. This index is included in the Authentication Request, without having to specify all the attributes.
Service Name The name of the Attribute Consuming Service. If none is provided, the Attribute Set name is applied.
Attribute Set Select the attribute set (containing the attributes to be requested).
Note: an attribute can belong to multiple Attribute Sets, and therefore also multiple AttributeConsumingServices.
Default Once AttributeConsumingServices are defined in the Metadata, the default will be applied if no AttributeConsumingServicesIndex is provided in the Authentication Request.
Have more questions? Submit a request

Comments