SAML settings for IdPs¶
You can find the SAML IdP related settings under settings section of the selected SAML IdP.
Basic settings¶
-
Service provider entity ID¶
Also known as issuer. Specifies the entityID of Asgardeo which acts as the application. This value will be used as the
<saml2:Issuer>
in the SAML requests initiated from Asgardeo to external Identity Provider (IdP). You need to provide a unique value as the service provider entityId.It is recommended to use a valid urn (e.g: urn:asgardeo:id) as the entityID.
-
Identity provider Single Sign-On URL¶
Single sign-on URL of the external IdP. This is where Asgardeo will send its authentication requests.
-
Assertion Consumer Service (ACS) URL¶
The Assertion Consumer Service (ACS) URL determines where Asgardeo expects the external identity provider to send the SAML response.
-
Identity provider entity ID¶
Also known as the issuer of identity provider. This is the
<saml2:Issuer>
value specified in the SAML responses issued by the external IdP. -
Identity provider NameID format¶
Name ID defines the name identifier formats supported by the external IdP. Name identifier is how Asgardeo communicates with external IdP regarding a user.
-
HTTP protocol binding¶
Specifies the mechanisms to transport SAML messages in communication protocols. Bindings define how SAML request-response protocol messages can be exchanged between identity provider and SAML application via HTTP transport.
Asgardeo supports below bindings:
- HTTP Post
- HTTP Redirect
- As Per Request
Single Logout¶
-
Accept identity provider logout requests¶
Specifies whether single logout request from the IdP must be accepted by Asgardeo. By selecting this configuration, Asgardeo can process the SAML IdP initiated logout requests and send the back-channel logout requests to the downstream applications.
-
Identity provider logout enabled¶
Specifies whether logout is supported by the external IdP.
-
IdP logout URL¶
Provides the logout endpoint URL of the IdP.
Request & Response Signing¶
Strictly verify authentication response signature info¶
Specifies if SAML2 authentication response from the external IdP must be signed or not. If this setting is selected, Asgardeo will validate the signature in authentication response sent by the external IdP.
Logout request signing¶
Specifies if SAML2 logout request to the external IdP from Asgardeo must be signed or not.
Authentication request signing¶
Specifies if SAML2 authentication request to the external IdP from Asgardeo must be signed or not.
Signature algorithm¶
Used as the signing algorithm to sign the authentication request and logout request.
Digest algorithm¶
Used as the digest algorithm in authentication request and logout request.
Advanced¶
Include protocol binding in the request¶
Specifies whether the transport mechanism should be included in the small authentication request.
Find user ID from requests¶
To specify an attribute from the SAML 2.0 assertion as the user identifier, configure the subject attribute from the attributes section.
Additional query parameters¶
Asgardeo supports sending additional information to your SAML external IdP in the form of query params in the login request.
- Fixed query params
-
Dynamic query params
-
Query param value sent in the application login request
- Query param value resolved in a conditional authentication script
You can check below examples when an application developer wants to send login_hint as a query param to external provider.
Fixed query params
Here Asgardeo sends the fixed query param (e.g: login_hint
) to the external identity provider in the login request.
-
Sample Query Param:
login_hint=none
Dynamic query params
-
Query param value sent in the application login request
-
Sample Query Param:
login_hint={login_hint_value}
-
If the application does not send the query param
login_hint_value
in the login request, the particular parameterized query param will not be sent to the external SAML identity provider.
-
-
Query param value resolved in a conditional authentication script
-
Sample Query Param:
login_hint=$authparam{login_hint_value}
Here login_hint_value needs to be resolved from the conditional auth script.
-
Sample conditional auth script:
// Step 1: username and password authentication // Step 2: SAML enterprise login var onLoginRequest = function(context) { executeStep(1, { onSuccess: function(context) { // Extracting authenticated user from the first step. var emailAddress = context.steps[1].subject.username; executeStep(2, { authenticatorParams: { common: { 'login_hint_value': emailAddress // This is where we resolve the dynamic query param. } }, authenticationOptions: [{ idp: 'SAMLIDP' // Name of the SAML IdP. }] }, {}); }, }); };
-