OIDCToSAMLBroker

Used to broker between protocols aka "token translation".  The calling client uses OIDC and the request gets translated and forwarded to an SAML broker for authentication. After successful SAML authentication the returning assertion is validated and translated into OIDC in order for the calling client to understand the response. 

Note that consent is not handled by this authenticator. It has to be handled on SAML IDP side.

Properties

Name Description Default value Mandatory
sp The internal SAML service provider id, This is the SP exposed to the SAML idp N/A Yes
pipeIDAssertionConsume Id of the pipe consuming and validating the SAML assertion from the IDP N/A Yes
targetIDP The entitity ID of the SAML IDP to send the authentication request N/A Yes
binding SAML binding to use for sending back the assertion urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST No
addsignature Shuld the authentication request sent to SAML IDP be signed true No
entityID The entity ID of the internal SAML SP N/A Yes
authMethod Value will be used to verify that correct authentication method was used on SAML IDP urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport No
cancelUrl Where to redirect the browser after a cancelled authentication N/A No
paramsToForward Comma separated string ("param1,param2,param3"). Which parameters in the original request should be forwarded with the SAMLRequest. Used for e.g. SAML Dispatch N/A No
useSessionManagement Whether or not to return session_state false No
requestedAuthnContext Value of RequestedAuthnContext (AuthnContextClassRef) in the AuthnRequest N/A No

Example Configuration

{
    "alias": "brokerToSAML",
    "name": "OIDCToSAMLBroker",
    "configuration": {
        "pipeIDAssertionConsume": "assertionPipeValidation",
        "sp":"dummy.ninja",
        "targetIDP":"example.org/saml/idp",
        "acsUrl":"http://localhost/oidc/authenticate/brokerToSAML",
        "entityID":"dummy.ninja"
            }
        ]
    }
}

Requirements