Module saml2

Last modified 07 May 2024 11:13 +02:00

SAML2 authentication module supports authentication via Identity provider with SAML2. SAML2 module has a little complicated configuration. This module contains specific attribute:

Name Description Required Type

serviceProvider

Basic configuration of SP.

true

AuthenticationModuleSaml2ServiceProviderType

AuthenticationModuleSaml2ServiceProviderType

AuthenticationModuleSaml2ServiceProviderType contains following configuration attributes:

Name Description Required Type Default Unused from 4.4

entityId

Unique identifier of the service provider.

true

String

alias

Unique alias used to identify the selected local service provider based on used URL.

false

String

aliasForPath

Alias used for AssertionConsumerServiceURL.

false

String

defaultSigningAlgorithm

Default signing algorithm. Possible values are RSA_SHA1, RSA_SHA256, RSA_SHA512 and RSA_RIPEMD160.

false

enum

RSA_SHA256

signRequests

Flag indicating whether this service signs authentication requests.

false

boolean

false

keys

Key used by service provider.

false

AuthenticationModuleSaml2KeyType

identityProvider

Possible identity providers for this service provider.

true

AuthenticationModuleSaml2ProviderType

AuthenticationModuleSaml2KeyType

AuthenticationModuleSaml2KeyType contains following configuration attributes:

Name Description Required Type

activeSimpleKey

Base key used for signing and dencryption. You can use only one from active keys, or can be both null.

true

ModuleSaml2SimpleKeyType

activeKeyStoreKey

Base key used for signing and dencryption. You can use only one from active keys, or can be both null.

true

ModuleSaml2KeyStoreKeyType

standBySimpleKey

Other keys.

true

ModuleSaml2SimpleKeyType

standByKeyStoreKey

Other keys.

true

ModuleSaml2KeyStoreKeyType

ModuleSaml2SimpleKeyType

ModuleSaml2SimpleKeyType contains following attributes:

Name Description Required Type

privateKey

Private key.

true

ProtectedStringType

passphrase

Password.

true

ProtectedStringType

certificate

Certificate of key.

true

ProtectedStringType

type

Type of key. Possible values are SIGNING, UNSPECIFIED and DECRYPTION.

false

enum
Example of ModuleSaml2SimpleKeyType
<activeSimpleKey>
    <name>sp-signing-key</name>
    <privateKey>
        <t:clearValue>"primary key"</t:clearValue>
    </privateKey>
    <passphrase>
        <t:clearValue>"password"</t:clearValue>
    </passphrase>
    <certificate>
        <t:clearValue>"certificate"</t:clearValue>
    </certificate>
</activeSimpleKey>

ModuleSaml2KeyStoreKeyType

ModuleSaml2KeyStoreKeyType contains following attributes:

Name Description Required Type

keyStorePath

Path to KeyStore.

true

String

keyStorePassword

Password of KeyStore.

true

ProtectedStringType

keyAlias

Alias of private key in KeyStore.

true

ProtectedStringType

keyPassword

Password of private key with alias ‘keyAlias’ in KeyStore.

true

ProtectedStringType

type

Type of key. Possible values are SIGNING, UNSPECIFIED and DECRYPTION.

false

enum
Example of ModuleSaml2KeyStoreKeyType
<activeKeyStoreKey>
    <keyStorePath>/home/lskublik/keyStore</keyStorePath>
    <keyStorePassword>
        <t:clearValue>"password of keyStore"</t:clearValue>
    </keyStorePassword>
    <keyAlias>sp-signing-key-1</keyAlias>
    <keyPassword>
        <t:clearValue>"password of private key"</t:clearValue>
    </keyPassword>
</activeKeyStoreKey>

AuthenticationModuleSaml2ProviderType

AuthenticationModuleSaml2ProviderType represents one Identity Providers. AuthenticationModuleSaml2ProviderType contains following attributes:

Name Description Required Type Default

entityId

Unique identifier of the service provider.

true

String

metadata

Metadata of Identity provider.

true

AuthenticationModuleSaml2MetadataType

linkText

User friendly name of provider.

false

String

authenticationRequestBinding

SAML2 binding used for authentication request.

true

String

verificationKeys

false

ProtectedStringType

nameOfUsernameAttribute

Name of attribute in response, which value define name of user in Midpoint. For example 'uid'.

true

String

AuthenticationModuleSaml2ProviderMetadataType

AuthenticationModuleSaml2ProviderMetadataType represents metadata of provider. You can choose from one definition for metadata: metadataUrl, xml and pathToFile.

Name Description

metadataUrl

URL, which show metadata.

xml

Xml of metadata encrypted by base64.

pathToFile

Path to xml file, which contains metadata.
Example of saml2 module
<saml2>
    <identifier>mySamlSso</identifier>
    <description>My internal enterprise SAML-based SSO system.</description>
    <serviceProvider>
        <entityId>sp_midpoint</entityId>
        <signRequests>true</signRequests>
        <keys>
            .
            .
            .
        </keys>
        <identityProvider>
            <entityId>https://idptestbed/idp/shibboleth</entityId>
            <metadata>
                <xml>PD94bWwgdmVyc2lvbj0iMS4wI...</xml>
            </metadata>
            <linkText>Shibboleth</linkText>
            <authenticationRequestBinding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</authenticationRequestBinding>
            <nameOfUsernameAttribute>uid</nameOfUsernameAttribute>
        </identityProvider>
    </serviceProvider>
</saml2>

Generation of service provider metadata

Midpoint can generate metadata of SP. You can get it via link http://<midpointHost>/midpoint/auth/<authenticationSequenceUrlSuffix>/<saml2ModuleName>/metadata/<registrationId>;. RegistrationId is 'aliasForPath', when is provided, or 'alias', when is provided, or 'entityId' of SP.

Generation of metadata works only if your sequence use only saml2 authentication module or saml2 authentication module is first in chain of your sequence. When you want to use a chain and saml2 module won’t be first authentication module, we recommend to create sequence only with saml module, generate metadata and then add other modules.

If Midpoint is located behind a reverse proxy it may be useful to set the publicHttpUrlPattern setting to the right value in order for the SAML endpoints (in the SP Metadata and in the SAMLRequest) to reflect the right URLs (see below)

Example of public URL configuration
<systemConfiguration>
    .
    .
    .
    <infrastructure>
        <publicHttpUrlPattern>https://public.url.local/midpoint</publicHttpUrlPattern>
    </infrastructure>
    .
    .
    .
</systemConfiguration>

Migration Saml2 authentication module from 4.3

Dependency for support of saml2 authentication module was changed to Spring Security saml2-service-provider.

  • Functionality of a new module is equivalent to the functionality of old saml2 module, however some configuration properties are not available in the new module. Such properties were tagged as deprecated in schema of saml2 authentication module.

  • Attribute 'provider' has to be changed to 'identityProvider' in 'serviceProvider'.

  • When keys of 'type' ENCRYPTION are used, they need to be removed. Service provider will obtain them from metadata for identity provider.

See also

Was this page helpful?
YES NO
Thanks for your feedback