SPBroker
Note
This authenticator delegates the authentication to a trusted (internal or external) SAML IdP. It authenticates by sending a SAML AuthnRequest to that IdP and then validating the assertion.
Properties
| Name | Description | Default value | Mandatory |
|---|---|---|---|
| sp | The internal ID of the Service provider. This value maps to a SAML SERVICE PROVIDER configured. | N/A | Yes |
| targetIDP | ID of SAMLMETA idp entity in store to use for authentication. This is the external IdP. | N/A | Yes |
| addsignature | Sign the authentication request (true/false). | true | No |
| pipeID | Id of the pipe used when consuming an incoming assertion | N/A | Yes |
| discoveryUrl | If using IDP discovery this should point to the location of the discovery service | N/A | No |
| cancelUrl | Where to redirect the browser after a cancelled authentication | N/A | No |
| requestedAuthnContext | Value of RequestedAuthnContext (AuthnContextClassRef) in the AuthnRequest (EXPANDABLE) | N/A | No |
| setAcsIndexBasedOnRequestIssuer | If the AttributeConsumingServiceIndex should be set according to the issuer mapping from the SP config | false | No |
| discoveryUrl | If using IDP discovery this should point to the location of the discovery service | N/A | No |
| acsUrlOverride | The ACS URL to use. Normally the ACS that will be used is the current URL you are at (since it will be different depending on which protocol entrypoint you use, or which SAML IDP etc), but this can be overridden with this option. | N/A | No |
| signMessage | A SignMessage to include in the AuthnRequest. (EXPANDABLE) | N/A | No |
| principalSelection | PrincipalSelection to include in the authentication request. (EXPANDABLE) | N/A | No |
Example Configuration
{
"id": "spbroker",
"alias": "spbroker",
"name": "SPBroker",
"displayName": "Broker",
"configuration": {
"sp": "spbroker",
"pipeID": "pipeAssertionConsumer",
"targetIDP": "https://external_idp/idp",
"addsignature": "false",
"requestedAuthnContext" : "{{session.userSource}}",
"principalSelection" : [ {
"name" : "uid",
"value" : "{{session.user_id}}"
} ]
}
}
Example Service Provider configuration
{
"id" : "spbroker",
"name" : "SAML Service provider",
"keystoreSign" : "af8fedd2-7234-46bf-a254-b2568dfd3dc1",
"keystoreEncrypt" : "af8fedd2-7234-46bf-a254-b2568dfd3dc1",
"entityID" : "https://localhost:8443/samlsp/spbroker",
"baseURL" : "https://localhost:8443",
"wantsAuthnRequestsSigned" : "true",
"assertionConsumerServiceUrls" : [ "https://localhost:8443/authentication/oidc/my_oidc_op_id_2/login", " https://localhost:8443/authentication/saml/mysamlidp2dec7/login" ],
"attributeConsumingServices" : [ {
"index" : "0",
"default" : "true",
"issuers" : [ "SPEntityId1", "SPEntityId2" ],
"serviceNames" : [ {
"name" : "TestSP utan HSA-uppslag",
"lang" : "sv"
} ],
"requestedAttributes" : [ {
"name" : "urn:sambi:names:attribute:levelOfAssurance",
"nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"friendlyName" : "levelOfAssurance"
} ]
}, {
"index" : "1",
"default" : "false",
"issuers" : [ "broker", "TestSPEntityId4" ],
"serviceNames" : [ {
"name" : "TestSP med HSA-uppslag",
"lang" : "sv"
}, {
"name" : "TestSP with HSA-query",
"lang" : "en"
} ],
"requestedAttributes" : [ {
"name" : "urn:sambi:names:attribute:levelOfAssurance",
"nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"friendlyName" : "levelOfAssurance"
}, {
"name" : "http://sambi.se/attributes/1/givenName",
"nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"friendlyName" : "givenName",
"isRequired" : "true"
}, {
"name" : "http://sambi.se/attributes/1/systemRole",
"nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"friendlyName" : "systemRole"
} ]
} ],
"created" : "2023-12-08T10:01:52.316Z"
}
Requirements
A SAML Service Provider entity defined under Advanced->SAML Service Provider.