Valve used to create a SAML assertion. This is applicable in scenarios where PhenixID Server acts as a SAML Identity Provider.

This valve requires the Current Item Set to contain one and only one item. This item is used to populate the assertion with values.

Important if using SAMLAuthForSigning:  If the user sees the SignMessage and proceeds to authenticate, the AssertionProvider used in the pipe will automatically add the attribute "urn:oid:1.2.752.201.3.14" (signMessageDigest) to the Assertion.


Name Description Default value Mandatory Supports property expansion
targetEntityID The entityID of the IdP issuing the assertion. Yes Yes
sourceID The entityID of the SP the assertion is aimed for. No Yes
additionalAttributes The item properties to be used as attribute(s) in the assertion. Comma-separated. No No
enableScopedAttributes Whether traditionally scoped attributes should have scope added to them. false No No
scope The scope the Assertion is for. Used for scoped attributes that should be added to the assertion. Must be one of the declared scopes for the SAML IdP. No No
nameIDAttribute The item property to be used as nameID in the assertion. Yes No
authMetod Use to override default value in the SAML AuthnContextClassRef No Yes
comparePrincipal Whether or not to validate the PrincipalSelection matchValues from the AuthnRequest against the additionalAttributes or nameIDAttribute false No No
hokCertificate The certificate to use in SubjectConfirmation for the holder-of-key binding. The end user needs to prove that they posess the private key for this certificate for the authentication to work. No Yes
misc Additional properties to be set, supports property expansion:
  • excludeSubjectNotBefore -> Include/exclude subject not before. Default: false
  • nameIdFormat NameIDFormat to be used. Full urn format. Supports transient, persistent, unspecified. By specificing transient format and an empty NameIDAttribute value, the system will automatically generate a unique NameID value for each usage. Default: unspecified
  • signMessage Sign whole response? Default: true
  • signAssertion Sign assertion? Default: false
  • audienceRestriction The audience restriction to be set in the assertion. Default: same value as sourceID
  • encryptassertion Encrypt assertion? Default: false
No No

Example Configuration

    "name": "AssertionProvider",
    "config": {
        "targetEntityID": "PhenixID_IdP",
        "nameIDAttribute": "carLicense",
        "misc": [{
              "excludeSubjectNotBefore": "true",
              "nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
              "signMessage": "false",
              "signAssertion": "true",
              "audienceRestriction": "urn:federation:MicrosoftOnline",
              "encryptassertion" : "true"
         "sourceID": "urn:federation:MicrosoftOnline",
         "additionalAttributes": "IDPEmail"

If setting nameIdFormat to urn:oasis:names:tc:SAML:2.0:nameid-format:transient nameIDAttribute must be omitted in order for auto generated nameid value.


SAML module is deployed.