OIDCToSAMLBroker
Warning
This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.
Note
Used to broker between protocols aka "token translation". The calling client uses OIDC and the request gets translated and forwarded to an SAML broker for authentication. After successful SAML authentication the returning assertion is validated and translated into OIDC in order for the calling client to understand the response.
Note that consent is not handled by this authenticator. It has to be handled on SAML IDP side.
Properties
Name | Description | Default value | Mandatory |
---|---|---|---|
sp | The internal SAML service provider id, This is the SP exposed to the SAML idp | N/A | Yes |
pipeIDAssertionConsume | Id of the pipe consuming and validating the SAML assertion from the IDP | N/A | Yes |
targetIDP | The entitity ID of the SAML IDP to send the authentication request | N/A | Yes |
binding | SAML binding to use for sending back the assertion | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST | No |
addsignature | Shuld the authentication request sent to SAML IDP be signed | true | No |
entityID | The entity ID of the internal SAML SP | N/A | Yes |
authMethod | Value will be used to verify that correct authentication method was used on SAML IDP | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport | No |
cancelUrl | Where to redirect the browser after a cancelled authentication | N/A | No |
paramsToForward | Comma separated string ("param1,param2,param3"). Which parameters in the original request should be forwarded with the SAMLRequest. Used for e.g. SAML Dispatch | N/A | No |
useSessionManagement | Whether or not to return session_state | false | No |
requestedAuthnContext | Value of RequestedAuthnContext (AuthnContextClassRef) in the AuthnRequest | N/A | No |
Example Configuration
{
"alias": "brokerToSAML",
"name": "OIDCToSAMLBroker",
"configuration": {
"pipeIDAssertionConsume": "assertionPipeValidation",
"sp":"dummy.ninja",
"targetIDP":"example.org/saml/idp",
"acsUrl":"http://localhost/oidc/authenticate/brokerToSAML",
"entityID":"dummy.ninja"
}
]
}
}