Used to provide Authentication for independent signing services. Parses SAMLRequests containing SignMessage and provides a user-facing message showing them the message they are asked to sign, before dispatching the request to another authenticator for the actual authentication.

The endpoint can be used for regular authentication as well. Requests not containing a SignMessage will be dispatched to the nextAuthenticator in the configuration. Signing requests require the user to be authenticated prior to the signing request. If a user is signed in using a PrincipalSelection, the subsequent signing request cannot contain a different PrincipalSelection.


Name Description Default value Mandatory
nextAuthenticator The authenticator to dispatch the request to. N/A Yes
keystoreId Keystore ID of the IDP used. N/A Yes
idpID The internal identifier of the idp used. N/A Yes
strictValidation Whether or not additional validation checks should be made on the SAMLRequest. false No

Example Configuration

    "alias": "samlauthforsigning",
    "name": "SAMLAuthForSigning",
    "configuration": {
        "nextAuthenticator": "myupwauthenticatoralias",
        "keystoreId": "myKeystoreId",
        "idpID": "myIdpID"


Another SAML Authenticator configured.