SAML SP
Note
In this section, configuration possibilities for the SAML service provider are documented.
General configuration
| Property name | Description | Allowed/default values |
|---|---|---|
| id | The internal ID of the SAML SP | String |
| name | The display name shown in the configuration gui | String |
| keystoreSign | The keystore id the SP should use for signatures. For purposes of certificate rollover, can be several keystore ids in a row, comma-separated (no spaces). | String |
| keystoreEncrypt | The keystore id the SP should use for encryption. For purposes of certificate rollover, can be several keystore ids in a row, comma-separated (no spaces). | String |
| entityID | The entityID | String |
| assertionConsumerServiceUrls | The AssertionConsumerServiceURLs of the SP. In legacy configurations this often resides in the authenticator configuration, but in modern configurations this is defined here. See information below regarding ACS URLs. | List of strings |
| sloUrls | The SingleLogoutService URLs of the SP. | List of strings |
| allowIncomingLogoutRequests | Whether the SP should allow incoming logout requests from an IDP attempting SLO. | Boolean |
| attributeConsumingServices | Which AttributeConsumingServices the SP has. Can be used in combination with SPBroker's parameter setAcsIndexBasedOnRequestIssuer to control which AttributeConsumingServiceIndex is sent in AuthnRequests, so that the IdP may provide the requested attribute profile. |
List of objects (see below) |
| ForceAuthn | Whether or not ForceAuthn should be set in outgoing authentication requests. | Boolean |
A note on ACS URLs
The assertionConsumerServiceUrls configured will be used by identity providers as a return URL which should direct the user back to
the correct flow. Prior to PAS 6.0.0 this meant you had to manually configure this so that it works for the flows you intended,
but now you can simply configure the ACS URL as https://your-domain.com/authentication/samlsp/your-sp-id/acs and based
on the automatically appended RelayState, PAS will work out where to internally direct the request.
The same goes for SLO URLs, which should be configured as https://your-domain.com/authentication/samlsp/your-sp-id/slo
Attribute consuming services configuration
attributeConsumingServices is a more complex configuration parameter, and is configured as a list of Json Objects (see examples below):
| Property name | Description | Allowed/default values | Mandatory |
|---|---|---|---|
| index | The index of the service | String | Yes |
| default | Whether or not this should be the default service | String | Yes |
| issuers | List of requestIssuers (could be other SP entity ids, or OIDC RP ids, etc.) that should use this service (if SPBroker's parameter setAcsIndexBasedOnRequestIssuer is true) |
List of strings | Yes |
| serviceNames | List of service names in different languages as displayed in the meta data. | List of objects (see below) | Yes |
| requestedAttributes | List of requested attributes as displayed in the meta data. | List of objects (see below) | Yes |
Each entry of serviceNames within attributeConsumingServices can be configured the following way:
| Name | Description | Mandatory |
|---|---|---|
| name | The name of the service | Yes |
| lang | The language used for this name | Yes |
Each entry of requestedAttributes within attributeConsumingServices can be configured the following way:
| Name | Description | Mandatory |
|---|---|---|
| name | The name of the SAML attribute | Yes |
| nameFormat | The nameFormat of the SAML attribute | Yes |
| friendlyName | The friendlyName of the SAML attribute | Yes |
| isRequired | Whether or not the attribute is required for the federation to work | No |
Full configuration example
{
"id" : "spbroker",
"name" : "SAML Service provider",
"keystoreSign" : "af8fedd2-7234-46bf-a254-b2568dfd3dc1",
"keystoreEncrypt" : "af8fedd2-7234-46bf-a254-b2568dfd3dc1",
"entityID" : "https://localhost:8443/samlsp/spbroker",
"baseURL" : "https://localhost:8443",
"ForceAuthn" : "false",
"allowIncomingLogoutRequests": "true",
"sloUrls" : [ "https://localhost:8443/authentication/samlsp/spbroker/slo" ],
"assertionConsumerServiceUrls" : [ "https://localhost:8443/authentication/samlsp/spbroker/acs" ],
"attributeConsumingServices" : [ {
"index" : "0",
"default" : "true",
"issuers" : [ "SPEntityId1", "SPEntityId2" ],
"serviceNames" : [ {
"name" : "TestSP utan HSA-uppslag",
"lang" : "sv"
} ],
"requestedAttributes" : [ {
"name" : "urn:sambi:names:attribute:levelOfAssurance",
"nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"friendlyName" : "levelOfAssurance"
} ]
}, {
"index" : "1",
"default" : "false",
"issuers" : [ "broker", "TestSPEntityId4" ],
"serviceNames" : [ {
"name" : "TestSP med HSA-uppslag",
"lang" : "sv"
}, {
"name" : "TestSP with HSA-query",
"lang" : "en"
} ],
"requestedAttributes" : [ {
"name" : "urn:sambi:names:attribute:levelOfAssurance",
"nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"friendlyName" : "levelOfAssurance"
}, {
"name" : "http://sambi.se/attributes/1/givenName",
"nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"friendlyName" : "givenName",
"isRequired" : "true"
}, {
"name" : "http://sambi.se/attributes/1/systemRole",
"nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
"friendlyName" : "systemRole"
} ]
} ],
"created" : "2023-12-08T10:01:52.316Z"
}