SAML Identity Provider

Performing this scenario will produce a SAML IdP that can be used for user authentication. Be sure to have configured "Keystore" & "SAML meta upload" scenarios, as well as any "Authenticator" scenario prior to executing this scenario. 

Name & Description

Start by giving the scenario a friendly name and description. Then click Next.

Base URL

Then enter the base URL where your PAS instance is available. This is usually the same URL as you are currently at, in the configuration manager. It should not contain any path, meaning it should only contain "" and not "".

Internal IDP ID

Then you will enter the internal identification string for your SAML IdP. This will also be visible in your entityID, as well as external URLs such as your PostSSOURL and RedirectSSOURL. This string can be anything as long as it is unique within your configuration. Note that the SAML EntityID of your IdP will be <your-base-url>/authentication/saml/<your-internal-idp-id>.


Then select the keystore you want your Identity Provider to use. This is what will be used to sign assertions and so on. You can upload your keystore by going through the guide scenario "Keystore" right next to this one.


Here you select which authenticator you would like your SAML IdP to use. This will often be a Dispatcher or AuthSelector that can direct the authentication flow further, based on context parameters or user selection, but it can also be any other direct authenticator. You need to set up your authenticator prior to this via the guide scenarios in the "Authenticators" tab.

Attributes the AssertionProvider will use

The SAML IdP will create a pipe that contains a default AssertionProvider, one that will be executed only if no other AssertionProvider has been executed prior in the flow. For your User Identifier Attribute, you need to put an attribute that will be available in the pipe of your executed authenticator (or the IdP pipe itself). For example, if you select a Username & Password authentication, it should likely be an LDAP attribute like "uid" or "sAMAccountName". This is the attribute that the SAML IdentityProvider will add as NameID attribute in the SAML Assertion. 

For additional attributes, add other attributes that you would like the IdP to add to the attribute statement. These need to be available in the pipe of your executed authenticator (or the IdP pipe itself).

Default service provider

This step is optional, you do not need to select a default service provider. They are only relevant if you wish to allow unsolicited, or IdP initiated requests. That is when the IdP provides an Assertion for a Service Provider that did not explicitly request it via an AuthnRequest.

The result

After clicking "create", your SAML IdP will be created and an edit-page will be visible. There you can configure additional properties, such as strict request validations, if sso should be allowed, if unsolicited requests should be allowed, if SAMLResponse should be sent on error, and so on. You can click on "View SAML Metadata" to see your resulting IdP metadata. SAML AuthnRequests can now be sent to <your-base-url>/authentication/saml/<your-internal-idp-id>/login

You can also see the "execution flow" tab, which is where the pipe containing the AssertionProvider is located. There you can edit the AssertionProvider. To read more about how to configure the SAML Identity Provider, please read the solution document "SAML Identity Provider in PAS 5.1 and beyond".