Table of Contents

SAMLSPBroker

Warning

This authenticator is a legacy authenticator. It is recommended to plan for migrating the authenticator to the new protocol agnostic authenticator architecture. More information about the legacy authenticators can be found here.

Note

A federated organisation may have multiple distinct services (service providers) where each service is protected under a distinct trust domain. The same organisation may wish to trust multiple external & internal identity providers and allow the end user to select their preferred identity provider.

In order to support multiple services and multiple identity providers and possible multiple rules an Authentication Broker Service is required.

Properties

Name Description Default value Mandatory
sp The entity ID of the Service provider. Must be same value as sp. This value maps to a SAML SERVICE PROVIDER configured. N/A Yes
issueAsIDPID The entity ID when acting as an IDP N/A Yes
targetIDP ID of SAMLMETA idp entity in store to use for authentication. This is the external IdP. N/A Yes
acsURL The URL to receive the assertion. Should reference to same authenticator '/authenticate/authenticator_alias'. N/A Yes
entityID The entity ID of the Service provider. Must be same value as sp. This value maps to a SAML SERVICE PROVIDER configured. N/A Yes
addsignature Sign the authentication request (true/false). true No
pipeIDAssertionConsume Id of the pipe used when consuming an incoming assertion N/A Yes
pipeIDAssertionProduce Id of the pipe used when creating an outgoing assertion N/A Yes
discoveryUrl If using IDP discovery this should point to the location of the discovery service N/A No
samlAuthMethod The value put in the AuthnContextClassRef in the SAML Assertion urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport No
cancelUrl Where to redirect the browser after a cancelled authentication N/A No
attributeConsumingServices The SAML SP AttributeConsumingServices to be listed in the SP metadata. N/A No
requestedAuthnContext Value of RequestedAuthnContext (AuthnContextClassRef) in the AuthnRequest N/A No

Example Configuration

{
    "id": "broker",
    "alias": "broker",
    "name": "SAMLSPBroker",
    "displayName": "Broker",
    "configuration": {
        "sp": "https://myserver/saml/broker",
        "issueAsIDPID": "https://myserver/saml/idp",
        "pipeIDAssertionConsume": "pipeAssertionConsumer",
        "pipeIDAssertionProduce": "pipeAssertionProducer",
        "targetIDP": "https://external_idp/idp",
        "acsUrl": "https://myserver/saml/authenticate/broker",
        "entityID": "https://myserver/saml/broker",
        "addsignature": "false"
    }
}

Example Configuration with AttributeConsumingServices

{
    "id": "broker",
    "alias": "broker",
    "name": "SAMLSPBroker",
    "displayName": "Broker",
    "configuration": {
        "sp": "https://myserver/saml/broker",
        "issueAsIDPID": "https://myserver/saml/idp",
        "pipeIDAssertionConsume": "pipeAssertionConsumer",
        "pipeIDAssertionProduce": "pipeAssertionProducer",
        "targetIDP": "https://external_idp/idp",
        "acsUrl": "https://myserver/saml/authenticate/broker",
        "entityID": "https://myserver/saml/broker",
        "addsignature": "false",
        "attributeConsumingServices" : [ {
            "index" : "0",
            "default" : "true",
            "issuers" : ["SPEntityId1", "SPEntityId2"],
            "serviceNames" : [ {
                "name" : "TestSP utan HSA-uppslag",
                "lang" : "sv" } ],
                "requestedAttributes" : [ {
                    "name" : "urn:sambi:names:attribute:levelOfAssurance",
    "nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
    "friendlyName" : "levelOfAssurance"
  } ]
}, {
            "index" : "1",
            "default" : "false",
            "issuers" : [ "SPEntityId3", "TestSPEntityId4" ],
            "serviceNames" : [ {
                "name" : "TestSP med HSA-uppslag",
                "lang" : "sv"}, {
                "name" : "TestSP with HSA-query",
                "lang" : "en"} ],
            "requestedAttributes" : [ {
                "name" : "urn:sambi:names:attribute:levelOfAssurance",
                "nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "friendlyName" : "levelOfAssurance"}, {
                "name" : "http://sambi.se/attributes/1/givenName",
                "nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "friendlyName" : "givenName",
                "isRequired" : "true"
  }, {
                "name" : "http://sambi.se/attributes/1/systemRole",
                "nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
                "friendlyName" : "systemRole"
              } ]
        } ]
    }
}

Requirements

A SAML Service Provider entity defined under Advanced->SAML Service Provider.

Authentication Deprecated SAML 2 Federation