SP Broker

This scenario will create an authenticator that acts as a SAML Service Provider and delegates authentication to a trusted SAML IdP. This IdP can be internal (hosted at the same PAS instance) or external. 

Name and Description

Input the name and description of your authenticator scenario


Here you enter an alias for your authenticator, which is a more user friendly version of the authenticator's ID (which is a random, auto generated UUID string).

Base URL

Then enter the base URL where your PAS instance is available. This is usually the same URL as you are currently at, in the configuration manager. It should not contain any path, meaning it should only contain "https://example.com" and not "https://example.com/this/is/my/path".

Internal SP ID

Then you will enter the internal identification string for your SAML SP. This will also be visible in your entityID. Note that the SAML EntityID of your SP will be <your-base-url>/samlsp/<your-internal-sp-id>.


Then select the keystore you want your Service Provider to use. This is what will be used to sign requests, decrypt assertions and so on. You can upload your keystore by going through the guide scenario "Federation -- Keystore" or just select "Create new" in this guide.

Target IDP

Here you select which IdP you would like to send the authentication request to. For an IdP to show up on this list, you must first upload its metadata in the guide "Federation -- SAML Metadata upload" or configure a SAML IdP yourself via the guide "Federation -- SAML Identity Provider".

Assertion Consumer Service URLs

As a SAML SP we need to define what URLs will be accepted as assertion consumer services for our target IdP to send back requests to. This means we need to define all possible uses of this authenticator. If you wish to use this authenticator for multiple purposes, you can edit this field later on, and re-upload your metadata to the IdP. 

An example of this is if you want to use your SP Broker to provide authentication for internal SAML IdP "my_saml_idp_id", internal OIDC OP "my_oidc_op_id" as well as internal selfservice application, the assertion consumer service URLs would be as seen in the image

The result

Upon finishing the guide scenario, you will be met with an edit page where you can adjust additional settings. You can also see the "execution flow" tab where you can adjust the pipes and valves created in the scenario. 

You can also see the "authenticator" tab and the "service provider" tab that offers additional configuration parameters.