SAML Service Provider
Configure Service Providers that use the SAML (Security Assertion Markup Language) 2.0 Protocol.
General Settings
These settings describe the behavior of the interaction between the Service Provider and IDHub (acting as IDP).
Field | Description |
|---|---|
Display Name | User defined name of the Service Provider |
URL | Not used |
Description | User defined description of the Service Provider |
Authentication Scheme | Defines which IDP(s) that can authenticate a user for this Service Provider, and how the user can authenticate. |
Type | "SAML2" |
Subject | Primary user attribute that is used to identify the user. |
Entity ID | This uniquely identifies your SAML2 partner. It will be provided by the partner if you want to use SAML2 |
Signs Authentication Request | This indicates whether the Service Provider digitally signs the Authentication Request or not |
Response Signed | If set to true, the response from the IDHub to the Service Provider will be signed |
Assertion Signed | If set to true, the assertion from the IDHub to the Service Provider will be signed |
Assertion Encrypted | If set to true, the assertion from the IDHub to the Service Provider will be encrypted |
Encrypted Type | Defines which part of the assertion is encrypted:
|
Encryption Method | The algorithm used to encrypt the SAML responses send to the Service Provider. This is specified in the EncryptionMethod in the Algorithm attribute in the XML meta data provided by the Service Provider. |
SLO Signed | If set to true, the logout request to or from the Service Provider is signed |
Default Name ID | The Name ID to use when a Service Provider does not provide a name id format in the authentication request |
Include X509 Certificate | Includes the complete certificate in the signature. |
Include X509 Alias | Includes the singing certificate alias in the signature |
Include PK Name | Includes the public key name in the signature. |
Signature Method | Define which algorithm is used to sign the assertion. |
Post Profile Template | A template form that is used to execute some javascript (eg. to log in) before accessing the service provider |
Audience | The Audience field is provided in an assertion, and is used by the Service Provider to verify if this Assertion is intended for him. This field allows for IDHub to specify a specific Audience in the assertion for this Service Provider. |
Subject Recipient | Typically an URL (URI) specifying the location where to present the assertion to the Service Provider. |
IDHub Entity ID | Overrides the unique identification for IDHub to that Service Provider, instead of the default. |
Time to live | Defines how long the provide Assertion will be valid |
Digest Algorithm | Defines which Digest algorithm is used to calculate the hash value that is passed as the "DigestValue" in the assertion. This value can be used by the SP to validate the assertion. |
Certificate Settings
It is still possible to import certificates without needing to leave the Service Provider screen.
Field | Description |
|---|---|
Context | Defines what the certificate is used for.
|
Certificate Alias | The alias of the certificate to use for this context. |
Used From | Defines from when this certificate may be used. In some cases these periods may overlap for the same context (eg. during a certificate renewal), but in other cases they may never overlap (Key - Signing, Trust - Encryption, Key - TLS). |
Used Until | Defines until when this certificate may be used. |
ACS Endpoints
This is a list of endpoints to which Assertions can be sent (AssertionConsumingService).
Field | Description |
|---|---|
Binding | How the Assertion is provided to the Service Provider.
|
Location | URL of the Endpoint |
Index | Index of the Endpoint (provided by the SP) |
Default | Defines if this is the default Assertion Endpoint. |
SLO Endpoints
Endpoints where Log-out requests to the SP can be sent and received. Both parties can initiate an SLO request.
Field | Description |
|---|---|
Binding | How the SLO Request is provided to the Service Provider.
|
Location | URL of the Endpoint where the log-out request is sent |
Response Location | URL where the Log-out response is received from the SP. |
What is IDP Push
An IDP Push is an Identity Provider initiated Single Sign-On.
Where the normal authentication flow is initiated by an Authentication Request from the Service Provider, this is the opposite. The authentication starts by the Identity Provider, who provides an Assertion.
The assertion may or may not contain a relayState or redirect_uri (the Service Provider to which the assertion is to be presented).
When TrustBuilder receives an IDP-initiated assertion which does not contain a relayState/redirect_uri and cannot be linked to an SP request, the user will be directed to the Application Catalog.
Endpoint → GET idhub/authenticate/push
This is an endpoint that can be used to trigger an "IDP push" from IDhub to a SAML Service Provider.
Parameters:
entityId(required)relayState(optional)
Can be used to indicate to the SAML SP what URL the user has to be redirected.authenticationContext(optional)comparison(optional)forceAuthentication(optional)