Table of Contents

SAML Identity Provider

The introduction of protocol agnostic authenticators also includes new updates to SAML Identity Providers in PAS 5.1. Old configurations will still work, but not have access to these new features.

Things that previously required additional configuration is now available straight out the box, including the following:

  • SAML Logout / SLO
  • SAML SignMessage display
  • SAML SSO

To get started, simply follow the "SAML Identity Provider" guide scenario in the configuration manager, under the "Federation" tab. There, you will input the base URL of your PAS server, the internal IDP ID, and some more minor configuration to get your identity provider going. The resulting configuration based on your base URL and internal ID will be the following:

  • Entity ID: <base-url>/authentication/saml/<internal-idp-id>
  • postSSOURL / redirectSSOURL: <base-url>/authentication/saml/<internal-idp-id>/login
  • postSLOURL / redirectSLOURL: <base-url>/authentication/saml/<internal-idp-id>/logout
  • Metadata endpoint: <base-url>/authentication/saml/<internal-idp-id>/meta

You will also choose an authenticator that will be executed at the login endpoint. This is usually an AgnosticDispatcher or AgnosticAuthSelector that can direct the flows further, depening on your needs. New SAML Identity Providers also allow assertion profiles to be set, which are configured directly on the IDP. The settings are equivalent to those on the AssertionProvider valve, but can ease the configuration quite a bit. Assertion profiles will only be used if you have no assertion present already, meaning you are free to still use the AssertionProvider valve. The new IDP may also run a pipe which is executed after the authenticator, if desired. The pipe run by the identity provider will have access to the same item from the pipe of the authenticators, so you do not need to populate the item from scratch.

In the new SAML Identity providers, there is no need to resolve SAML request properties like in PAS 4.7 for authenticator flow direction, this is done automatically once per AuthnRequest. It is then loaded into the "context"-property that is available at the AgnosticDispatcher. If a SAML AuthnRequest contains a SignMessage, it is always displayed before proceeding to authentication. AssertionProviders will, if the request contains a SignMessage, add a SignMessageDigest attribute. The "comparePrincipal" property at an AssertionProvider (now also available in your assertion profiles) still works as before, even without "resolveSAMLRequestProperties" being set anywhere.

These are new configuration properties for SAML Identity providers:

  • strictValidation -- A set of additional validation checks run on incoming SAML AuthnRequests. In the old identity providers, this option was set at authenticator level.
  • sendSAMLResponseOnError -- If fatal errors should result in a SAMLResponse containing the error status.  In the old identity providers, this option was set at authenticator level.
  • allowUnsolicited -- Whether or not to allow unsolicited requests.
  • authenticatorId -- The ID or alias of the authenticator to execute at the login endpoint
  • allowSSO -- whether or not SSO should be attempted at this identity provider. Read more about SSO in protocol agnostic authenticators before proceeding.
  • pipeId -- the id of a pipe to run after the authenticator, before returning a result
  • requireSignedLogoutRequest -- Whether or not the IDP should require incoming LogoutRequests to be signed. Default is true.
  • requireSignedLogoutResponse -- Whether or not the IDP should require incoming LogoutResponses to be signed. Default is true.
  • assertionProfiles -- An array of profiles used to provide assertions upon successful authentication.
  • useGlobalLogout -- Whether global logout according to the SAML SLO specification should be used. Default is false, but you may opt in such that the logout also propagates to other SLO enabled SPs that have a session at the IdP by setting this to true.

A more complete description of all configuration parameters, and a detailed description of how to configure assertionProfiles is available here.

Authentication Federation SAML 2