Configure Identity Providers that use the SAML (Security Assertion Markup Language) 2.0 Protocol to authenticate and authorize users.
IDHub will act as a Service Provider when sending an Authentication Request to the Identity Provider.
|Display Name||User defined name of the Identity Provider
|URL||Not used, strictly informational|
|Description||User defined description of the Identity Provider|
|Subject||Attribute that is used to identify the Subject|
|Entity ID||This uniquely identifies your SAML2 partner. It will be provided by the partner if you want to use SAML2
|Authentication Request Signed||This indicates whether to digitally sign the Authentication Request or not. This requires a "Key Signing" certificate to be added.
|SSO Post Location||EndPoint of the Identity Provider, where the Authentication Request is sent.|
||Defines if the SLO (Single Log Out) request to the IDP is signed. Requires a "Key Signing" certificate to be added.|
|Include X509 Certificate||Includes the complete certificate in the signature.
|Include X509 Alias||Includes the singing certificate alias in the signature
|Include PK Alias
||Includes the public key name in the signature.
|Signature Method||Define which algorithm is used to sign the Authentication Request.
|Artifact Resolve Location||Optional. In this alternative approach, Identity Provider will make the assertion available on this URL. IDHub will go to this location to get the assertion, rather than that the assertion is passed via the client.|
|Audience||The Audience field is provided in an assertion, and is verified by IDHub. If the audience matches, then the assertion can be accepted.
If no value is provided, the SAML Entity ID (provided under "IDHub Entity ID" is used).
|Subject Recipient||Needs to correspond to the Subject Recipient in the assertion.
If no value is provided, the Subject Recipient is not validated.
|Assertion consumer Service Index||
This value is filled in the AssertionConsumingServiceIndex in an AuthenticationRequest
Context: Currently IDHub functions as a singular endpoint for all assertions. But in some cases one IDP can serve multiple IDHub instances (eg. ACC/PRD environment) which requires us to specify an assertion endpoint (via the index).
|Add extensions to Authentication Request||Will add the Extension Elements to an Authentication request).
|IDHub Entity ID||The Entity ID that identifies IDHub at the IDP. (Note: this replaces a previous general setting "SAML Entity ID")|
Certificates are managed at Certificate Overview.
It is still possible to import certificates without needing to leave the Identity Provider screen.
|Context||Defines what the certificate is used for.
||The alias of the certificate to use for this context.
|Used From||Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Key - TLS).
|Used Until||Defines until when this certificate may be used.
A list of endpoints where the SLO (Single Log-Out) requests can be sent.
|Binding||How the SLO Request is provided.
|Location||URL of the Endpoint where the log-out request is sent
|Response Location||URL where the Log-out response is received from the IDP.|
Attribute Consuming Services
Attribute Consuming Services define which set(s) of User Attributes are being requested from the Identity Provider.
This information is optional (if there are no Attribute Consuming Services defined: all attributes will be requested), but it's recommended for privacy reasons.
It is similar in functionality and purpose as "scopes" in OpenIDConnect
|Index||The numerical identifier of the Attribute Set. This index is included in the Authentication Request, without having to specify all the attributes.|
|Service Name||The name of the Attribute Consuming Service. If none is provided, the Attribute Set name is applied.
|Attribute Set||Select the attribute set (containing the attributes to be requested).
Note: an attribute can belong to multiple Attribute Sets, and therefore also multiple AttributeConsumingServices.
|Default||Once AttributeConsumingServices are defined in the Metadata, the default will be applied if no AttributeConsumingServicesIndex is provided in the Authentication Request.|