Used to provide Authentication for independent signing services. Requires the AuthnRequest property SignMessage to be resolved (i.e. it requires the config parameter "resolveSAMLRequestProperties" to be set to "true" either at this authenticator, or at one earlier in the authentication flow like a Dispatch or SAMLDataSave). Provides a user-facing message showing them the message they are asked to sign, before dispatching the request to another authenticator for the actual authentication.

If the user sees the SignMessage and proceeds to authenticate, the AssertionProvider used in the pipe will automatically add the attribute "urn:oid:1.2.752.201.3.14" (signMessageDigest) to the Assertion.


Name Description Default value Mandatory
nextAuthenticator The authenticator to dispatch the request to. N/A Yes
idpID The internal identifier of the idp used. N/A Yes
sendSAMLResponseOnError Whether or not a SAMLResponse containing an error response should be sent back to the SP upon an internal authentication error. false No
strictValidation Whether or not additional validation checks should be made on the SAMLRequest. false No
resolveSAMLRequestProperties Whether or not request properties from the SAML AuthnRequest should be resolved before proceeding with the authentication. Typically used at the start of an authentication flow. false No

Example Configuration

    "alias": "samlauthforsigning",
    "name": "SAMLAuthForSigning",
    "configuration": {
        "nextAuthenticator": "myupwauthenticatoralias",
        "idpID": "myIdpID"


Another SAML Authenticator configured, resolveSAMLRequestProperties set to "true" in either this authenticator, or one earlier in the flow (e.g. a Dispatch or SAMLDataSave).