Table of Contents

SAMLHeadlessSSO

Warning

This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.

Note

SSO authenticator creating assertion based on current session. Note: If parameter "resolveSAMLRequestProperties" is set to true (either here or earlier in the flow), the SAML Request Properties "isPassive" and "forceAuthn" will affect the behavior of this authenticator.

Properties

Name Description Default value Mandatory
idpID ID of IdP configuration to use
YES
pipeID
 ID of pipe creating assertion
YES
authURL
 URL to redirect to if no session exist.
YES

sendSAMLResponseOnError

 Whether or not a SAMLResponse containing an error response should be sent back to the SP upon an internal authentication error.
 false NO
strictValidation Whether or not additional validation checks should be made on the SAMLRequest false NO
resolveSAMLRequestProperties Whether or not request properties from the SAML AuthnRequest should be resolved before proceeding with the authentication. Typically used at the start of an authentication flow.
 false NO

Example Configuration

// AUTHENTICATORS
{
    "id": "auth_sso_01",
    "alias": "auth_sso_01",
    "name": "SAMLHeadlessSSO",
    "displayName": "SSO",
    "configuration": {
        "idpID": "c133328c-0823-4368-9045-9a0a8ddc52c",
        "pipeID": "auth_sso_pipe",
        "authURL": "https://host/saml/authenticate/idp"
    }
}

// PIPES
{
    "id" : "auth_sso_pipe",
    "description" : "Pipe for SAML SSO",
    "name" : "Pipe for SAML SSO",
    "enabled" : "true",
    "config" : { },
    "valves" : [ 
{
      "name" : "SessionLoadValve",
      "config" : {
        "id" : "{{request.session_id}}"
      }
    }, {
      "name" : "ItemCreateValve",
      "config" : {
        "dest_id" : "{{session.user_id}}"
      }
    }, {
      "name" : "PropertyAddValve",
      "config" : {
        "name" : "uid",
        "value" : "{{session.user_id}}"
      }
    }, {
      "name" : "PropertyAddValve",
      "config" : {
        "name" : "mail",
        "value" : "dummy@test.org"
      }
    }, {
      "name" : "AssertionProvider",
      "enabled" : "true",
      "config" : {
        "targetEntityID" : "c133328c-0823-4368-9045-9a0a8ddc52c",
        "nameIDAttribute" : "uid",
        "additionalAttributes" : "mail"
      }
    } ]
  }
Authentication Deprecated SAML 2 Single Sign-On Federation