AssertionProvider

Valve used to create a SAML assertion. This is applicable in scenarios where PhenixID Server acts as a SAML Identity Provider.

This valve requires the Current Item Set to contain one and only one item. This item is used to populate the assertion with values.

Properties

Name Description Default value Mandatory Supports property expansion
targetEntityID The entityID of the IdP issuing the assertion. Yes Yes
sourceID The entityID of the SP the assertion is aimed for. No Yes
additionalAttributes The item properties to be used as attribute(s) in the assertion. Comma-separated. No No
nameIDAttribute The item property to be used as nameID in the assertion. Yes No
authMetod Use to override default value in the SAML AuthnContextClassRef No Yes
misc Additional properties to be set, supports property expansion:
  • excludeSubjectNotBefore -> Include/exclude subject not before. Default: false
  • nameIdFormat NameIDFormat to be used. Full urn format. Supports transient, persistent, unspecified. By specificing transient format and an empty NameIDAttribute value, the system will automatically generate a unique NameID value for each usage. Default: unspecified
  • signMessage Sign whole response? Default: true
  • signAssertion Sign assertion? Default: false
  • audienceRestriction The audience restriction to be set in the assertion. Default: same value as sourceID
  • encryptassertion Encrypt assertion? Default: false
No No

Example Configuration

{
    "name": "AssertionProvider",
    "config": {
        "targetEntityID": "PhenixID_IdP",
        "nameIDAttribute": "carLicense",
        "misc": [{
              "excludeSubjectNotBefore": "true",
              "nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
              "signMessage": "false",
              "signAssertion": "true",
              "audienceRestriction": "urn:federation:MicrosoftOnline",
              "encryptassertion" : "true"
         }],
         "sourceID": "urn:federation:MicrosoftOnline",
         "additionalAttributes": "IDPEmail"
    }
}

If setting nameIdFormat to urn:oasis:names:tc:SAML:2.0:nameid-format:transient nameIDAttribute must be omitted in order for auto generated nameid value.

Requirements

SAML module is deployed.