Skip to main content
Skip table of contents

SAML Service Provider


Configure Service Providers that use the SAML (Security Assertion Markup Language) 2.0 Protocol. 

General Settings

These settings describe the behavior of the interaction between the Service Provider and IDHub (acting as IDP). 



Display Name

User defined name of the Service Provider


Not used


User defined description of the Service Provider

Authentication Scheme

Defines which IDP(s) that can authenticate a user for this Service Provider, and how the user can authenticate.




Primary user attribute that is used to identify the user.

Entity ID

This uniquely identifies your SAML2 partner. It will be provided by the partner if you want to use SAML2

Signs Authentication Request

This indicates whether the Service Provider digitally signs the Authentication Request or not

Response Signed

If set to true, the response from the IDHub to the Service Provider will be signed

Assertion Signed

If set to true, the assertion from the IDHub to the Service Provider will be signed

Assertion Encrypted

If set to true, the assertion from the IDHub to the Service Provider will be encrypted

Encrypted Type

Defines which part of the assertion is encrypted:

  • ASSERTION: The complete assertion is encrypted

  • NAMEID: Encrypts only the Name ID (subject) value in the assertion

  • ATTRIBUTES: Encrypts all the User Attributes in the assertion.

Encryption Method

The algorithm used to encrypt the SAML responses send to the Service Provider. This is specified in the EncryptionMethod in the Algorithm attribute in the XML meta data provided by the Service Provider.

SLO Signed

If set to true, the logout request to or from the Service Provider is signed

Default Name ID

The Name ID to use when a Service Provider does not provide a name id format in the authentication request

Include X509 Certificate

Includes the complete certificate in the signature.

Include X509 Alias

Includes the singing certificate alias  in the signature

Include PK Name

Includes the public key name in the signature.

Signature Method

Define which algorithm is used to sign the assertion.

Post Profile Template

A template form that is used to execute some javascript (eg. to log in) before accessing the service provider


The Audience field is provided in an assertion, and is used by the Service Provider to verify if this Assertion is intended for him. This field allows for IDHub to specify a specific Audience in the assertion for this Service Provider.
If this value is not provided in IDHub, the Entity ID of the Service Provider is filled in.   

Subject Recipient

Typically an URL (URI) specifying the location where to present the assertion to the Service Provider.
For example, this attribute might indicate that the assertion must be delivered to a particular network endpoint in order to prevent an intermediary from redirecting it someplace else.

IDHub Entity ID

Overrides the unique identification for IDHub to that Service Provider, instead of the default.

Time to live

Defines how long the provide Assertion will be valid

Digest Algorithm

Defines which Digest algorithm is used to calculate the hash value that is passed as the "DigestValue" in the assertion.  This value can be used by the SP to validate the assertion.

Certificate Settings

Certificates are managed at Certificate Overview

It is still possible to import certificates without needing to leave the Service Provider screen.




Defines what the certificate is used for.

  • Key - Signing: Used to sign messages to the SP

  • Key - Encryption: Used to decrypt the messages sent from the SP

  • Key - TLS: Used to initiate a secure connection (TLS) to the SP

  • Trust - Signing: Used to verify the signature of messages sent by the SP

  • Trust - Encryption: Used to encrypt the messages sent to the SP

  • Trust - TLS: Used to accept a secure connection (TLS) from the SP

Certificate Alias

The alias of the certificate to use for this context.

Used From

Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Trust - Encryption, Key - TLS).  

Used Until

Defines until when this certificate may be used.

ACS Endpoints

This is a list of endpoints to which Assertions can be sent (AssertionConsumingService).




How the Assertion is provided to the Service Provider.  

  • HTTP Post

  • HTTP Redirect

  • HTTP Artifact


URL of the Endpoint


Index of the Endpoint (provided by the SP)


Defines if this is the default Assertion Endpoint.
Exactly one ACS Endpoint must be marked as default.
If the SP doesn't provide an AssertionConsumingService in the AssertionRequest, this ACS endpoint will be used.

SLO Endpoints

Endpoints where Log-out requests to the SP can be sent and received.   Both parties can initiate an SLO request.




How the SLO Request is provided to the Service Provider.  

  • HTTP Post

  • HTTP Redirect


URL of the Endpoint where the log-out request is sent

Response Location

URL where the Log-out response is received from the SP.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.