Used when authentication is based on a X509 certificate. 


Name Description Default value Mandatory
idpID The iternal identifier of the idp used N/A Yes
pipeID Id of the pipe used to issue the SAML assertion N/A Yes
certificateheader In which parameter will the certificate be in N/A Yes
samlAuthMethod What value is set in the AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient No
certificateExtractionUrl If data is missing in the request, where to send the client for certificate extraction. N/A No
sendSAMLResponseOnError Whether or not a SAMLResponse containing an error response should be sent back to the SP upon an internal authentication error. false No
strictValidation Whether or not additional validation checks should be made on the SAMLRequest. false No
resolveSAMLRequestProperties Whether or not request properties from the SAML AuthnRequest should be resolved before proceeding with the authentication. Typically used at the start of an authentication flow. false No

Example Configuration

    "alias": "certificatesaml",
    "name": "HeaderBasedCertificateSAML",
    "configuration": {
        "idpID": "idp",


Some kind of web front handling certificate extraction and populating the data.