SPBroker

This authenticator delegates the authentication to a trusted (internal or external) SAML IdP. It authenticates by sending a SAML AuthnRequest to that IdP and then validating the assertion. 

Properties

Name Description Default value Mandatory
sp The internal ID of the Service provider. This value maps to a SAML SERVICE PROVIDER configured. N/A Yes
targetIDP ID of SAMLMETA idp entity in store to use for authentication. This is the external IdP. N/A Yes
addsignature Sign the authentication request (true/false). true No
pipeID Id of the pipe used when consuming an incoming assertion N/A Yes
discoveryUrl If using IDP discovery this should point to the location of the discovery service N/A No
cancelUrl Where to redirect the browser after a cancelled authentication N/A No
requestedAuthnContext Value of RequestedAuthnContext (AuthnContextClassRef) in the AuthnRequest N/A No
setAcsIndexBasedOnRequestIssuer If the AttributeConsumingServiceIndex should be set according to the issuer mapping from the SP config false No
discoveryUrl If using IDP discovery this should point to the location of the discovery service N/A No
acsUrlOverride The ACS URL to use. Normally the ACS that will be used is the current URL you are at (since it will be different depending on which protocol entrypoint you use, or which SAML IDP etc), but this can be overridden with this option. N/A No
signMessage A SignMessage to include in the AuthnRequest. N/A No

Example Configuration 

<p>{
    "id": "spbroker",
    "alias": "spbroker",
    "name": "SPBroker",
    "displayName": "Broker",
    "configuration": {
        "sp": "spbroker",
        "pipeID": "pipeAssertionConsumer",
        "targetIDP": "https://external_idp/idp",
        "addsignature": "false"
    }
}</p>
Click to copy

Example Service Provider configuration 

{
    "id" : "spbroker",
    "name" : "SAML Service provider",
    "keystoreSign" : "af8fedd2-7234-46bf-a254-b2568dfd3dc1",
    "keystoreEncrypt" : "af8fedd2-7234-46bf-a254-b2568dfd3dc1",
    "entityID" : "https://localhost:8443/samlsp/spbroker",
    "baseURL" : "https://localhost:8443",
    "wantsAuthnRequestsSigned" : "true",
    "assertionConsumerServiceUrls" : [ "https://localhost:8443/authentication/oidc/my_oidc_op_id_2/login", " https://localhost:8443/authentication/saml/mysamlidp2dec7/login" ],
    "attributeConsumingServices" : [ {
      "index" : "0",
      "default" : "true",
      "issuers" : [ "SPEntityId1", "SPEntityId2" ],
      "serviceNames" : [ {
        "name" : "TestSP utan HSA-uppslag",
        "lang" : "sv"
      } ],
      "requestedAttributes" : [ {
        "name" : "urn:sambi:names:attribute:levelOfAssurance",
        "nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
        "friendlyName" : "levelOfAssurance"
      } ]
    }, {
      "index" : "1",
      "default" : "false",
      "issuers" : [ "broker", "TestSPEntityId4" ],
      "serviceNames" : [ {
        "name" : "TestSP med HSA-uppslag",
        "lang" : "sv"
      }, {
        "name" : "TestSP with HSA-query",
        "lang" : "en"
      } ],
      "requestedAttributes" : [ {
        "name" : "urn:sambi:names:attribute:levelOfAssurance",
        "nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
        "friendlyName" : "levelOfAssurance"
      }, {
        "name" : "http://sambi.se/attributes/1/givenName",
        "nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
        "friendlyName" : "givenName",
        "isRequired" : "true"
      }, {
        "name" : "http://sambi.se/attributes/1/systemRole",
        "nameFormat" : "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
        "friendlyName" : "systemRole"
      } ]
    } ],
    "created" : "2023-12-08T10:01:52.316Z"
  }
Click to copy

Requirements

A SAML Service Provider entity defined under Advanced->SAML Service Provider.