Authentication Hub Operating as an Identity Provider

In this scenario, the Authentication Hub provides authentication services to a Service Provider (SP), which could be another application or a service. 
The interaction between the Authentication Hub functioning as an Identity Provider (IDP) with the Service Provider (SP) typically perform the following steps for user authentication:
  1. The SP relies on the Authentication Hub to authenticate its users.
  2. Users attempting to access the SP are redirected to the Authentication Hub for authentication. 
  3. After successful authentication, the Authentication Hub sends an assertion or token back to the SP. 
  4. The SP trusts this assertion and grants the user access to the SP's resource.
To accomplish the above steps, configurations need to be implemented on both ends, both at the Authentication Hub (IDP) and the Service Provider's (SP) end. These configurations enable the connection between the two parties and initiate the federated authentication flow.
To extend authentication services to an external service provider, create an application within Authentication Hub through the Admin Console or Authentication Hub APIs. This involves configuring the necessary details obtained from the Service Provider's metadata to set up the application within Authentication Hub.
OIDC Flow
Authentication Hub Operating as an Identity Provider
In the following steps, Authentication Hub is operating as an Identity Provider. Follow these steps to configure an external Service Provider in Authentication Hub:
  1. Download the Service Provider's metadata.
    The service provider creates an IDP at their end. Once the Service Provider creates the IDP with the details from Authentication Hub and saves it, this information in the form of metadata is downloadable by Authentication Hub from the Service Provider's site.
    The following is a sample of IDP metadata that can be downloaded from a service provider:
    <?xml version="1.0" encoding="UTF-8"?>md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://de-template-may-7-15-dev-ed.my.salesforce.com" validUntil="2033-10-14T09:07:20.522Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIEhDCCA2ygAwIBAgIOAYs83+C3AAAAAFVR+ucwDQYJKoZIhvcNAQELBQAwgYMxGzAZBgNVBAMMElNTUF9DZXJ0X09jdDE3MjAyMzEYMBYGA1UECwwPMDBENWcwMDAwMEw4Wjd6MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTAeFw0yMzEwMTcwOTAzMDZaFw0yNDEwMTcwMDAwMDBaMIGDMRswGQYDVQQDDBJTU1BfQ2VydF9PY3QxNzIwMjMxGDAWBgNVBAsMDzAwRDVnMDAwMDBMOFo3ejEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCE1sHpjoiZ3d1YGn6PriYCcNH310OkyqKn0fJm6wtzXkKiI6AhoC///2RUJZzbhfre3YvYaU/6o3W6BnOM21YXbYHdpKpX5zuo360fr+cP/vc5HWb5d3zP2cFNCcbrD4cy8tXOQaehAAg2bVUT5pFgm9IE+hLSfJLLqz2Q8miTSKGgPLa2tu+D8KCYcv2uRMt8OpCf2BzZ66xlit0y9c4aGD6XbHuu4iCNUCtVP8V7a5xz5c1zk3OXXg7YHqzp3VjfG9Mcy9WjQcW/bupOsJECVyAo/5rZSLcM12+hJks7y7ieHkelEgNrLysDnIotKh0mN4TWOBzmkn/uNZunxv7PAgMBAAGjgfMwgfAwHQYDVR0OBBYEFGoiSOhQET3675k7AVRI/mHuD9K7MA8GA1UdEwEB/wQFMAMBAf8wgb0GA1UdIwSBtTCBsoAUaiJI6FARPfrvmTsBVEj+Ye4P0ruhgYmkgYYwgYMxGzAZBgNVBAMMElNTUF9DZXJ0X09jdDE3MjAyMzEYMBYGA1UECwwPMDBENWcwMDAwMEw4Wjd6MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQYIOAYs83+C3AAAAAFVR+ucwDQYJKoZIhvcNAQELBQADggEBAB0YEyKx8KEwgqFYp9OumcvPLe+GjIscQDwAYlPtkWXOvLuLvzFtLoVik3e/Et8R6kqjjbYmAFsNaCHbJQZ+1+SQJD9qtWIl4Od5y1Fie/b0aWGed0vjEVwelGoSI4SM1T6L0fVnQuhidL+gicc8m56a4pU+/7yA3vxW31KBIuVa3nwbFrOdgsWQrJENnIfY3M0CPtHfhXcvRvxV6CC878UrNZROsmm9XkMluHdd/PuTlP5vHCMbY/M6t0vr6fBgQ2A3tUWRbYY3uV/81o5u6s6LnPwUb2fJ0QMbYGMO+gnIopkyLJzVLSy081azhXxSy6Cy2NpJ/WQsNOuSBMDaxHo=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://broadcominc-dev-ed.develop.my.salesforce.com/idp/endpoint/HttpPost"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://broadcominc-dev-ed.develop.my.salesforce.com/idp/endpoint/HttpRedirect"/> </md:IDPSSODescriptor> </md:EntityDescriptor>
  2. Create an OIDC application in Authentication Hub for the service provider.
    Use the following Application API to create a new application in Authentication Hub:
    https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Apps
    Creating Application Using OIDC Protocol
    :
    The following example shows the request payload of the ".../admin/v1/Apps" API using the OIDC Protocol. In addition to the obligatory attributes displayed in the sample, there are several optional attributes that can be included in the payload by performing a PATCH call.
    { "status": "active", "name": "democlient", "description": "Demo client to perform tenant level operations for demo purpose.", "clientType": "TRUSTED", "allowedOpenIDScopes": [ "address", "phone", "openid", "profile", "groups", "email" ], "redirectURIs": [ "https://www.example.com" ], "allowedGrantTypes": [ "refresh_token", "implicit", "client_credentials", "authorization_code", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "flowURL": null, "deviceCodeFlowURL": null, "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": false, "skipEmailForIT": false, "zeroFootPrint": false, "softMFAEnabled": false, "userTokenSubAttributeMappingName": null, "supportedJoseHeaderParams": null, "claims": [ { "name": "_title", "target": "at,it", "value": "${idProfile.title}" }, { "name": "_idp_name", "target": "at,it", "value": "${idToken.idp_name}" }, { "name": "_env", "target": "at,it", "value": "${appMetadata}.env}" } { "name": "_acct_num", "target": "at,it", "value": "12345" } { "name": "_transactionIdentifier", "target": "at,it", "value": "${clientContext.transactionIdentifier}" } ], "allowedOperations": [ "itgroups", "atgroups", "introspect" ], "secondaryAudiences": [ "env=blue", "https://consumer.com/myapi" ], "assertionVerificationCertAlias": null, "appIcon": null, "secret": "b62989d7-b992-4a77-88c8-5f6595eeedf3", "clientId": "b72ca551-59ec-4e07-ac5b-d09f19c663a8", "itEncryptionTarget": "NONE", "itEncryptionCertAlias": null, "userInfoEncryptionCertAlias": null, }
    For more information on how to create an app and to know about the description of the attributes in Authentication Hub, see Managing Application.

Example: Integrating an OIDC Service Provider with Authentication Hub

In the following scenario, Authentication Hub operates as an Identity Provider, and Salesforce functions as the Service Provider. Configurations must be applied on both ends to establish the connection between the two parties and initiate the federated authentication flow. Therefore the integration setup between both the parties have been described though the following steps.
Prerequisites
: Ensure that you have met the following prerequisites before progressing with the SalesForce integration.
  • A Public IP Machine or a Cloud Provider that has a Kubernetes cluster that is provisioned and
    VIP Authentication Hub
    deployed on it.
  • An active SalesForce account to perform the integration.
  • The Standard OpenID Connect claims are mapped in the
    VIP Authentication Hub
    LDAPconfig using attributeMapping. Ensure to use latest postman collection for creating LDAPconfig. Also, note that the user that has been used for SalesForce use case must have values for all the attributes in the LDAP ID Store as per mappings in the Authentication Hub ldapconfig.
  • Ensure that you use CA Signed certificate to enable SSL to the ingress controller. This implies that all
    VIP Authentication Hub
    urls with https should use proper CA signed certificates. This is important as the
    https://ssp_host/default/oauth2/v1/token endpoint
    gets called from the backend SalesForce server to trust the certificate chain.
  • When using OpenID Connect protocol to integrate with
    VIP Authentication Hub
    , ensure that your app has the redirectURI, allowedOpenIDScopes, allowedGrantTypes, and allowedOperations configured. See API Security Using OAuth2 for more information.
This topic includes the following sections:
The following example is indicative of SalesForce as a Service Provider in Authentication Hub.
The steps outlined in this section detail the procedure of configuring SalesForce as an external service provider in Authentication Hub.
Perform the following steps:
  1. Download the Service Provider's metadata. This step is already covered above in this page. See Downloading Service Provider's metadata step.
  2. Create an application to register SalesForce in
    VIP Authentication Hub
    using the following API:
    https://<ssp_host>/default/admin/v1/Apps
    Ensure that the request payload has the following attributes configured:
    • "userInfoEndpointResponseFormat": "PLAIN_JSON"
    • "skipIssuerAudienceForIT": true
    The examples in this section describe the creation of application using OIDC protocol.
    Sample of an OIDC application
    Request Payload
    :
    The following example shows the request payload while creating a SalesForce application in Authentication Hub using the
    OIDC protocol
    .
    { "status": "active", "name": "salesforce-app", "description": "Application for Salesforce integration", "clientType": "CONFIDENTIAL", "allowedOpenIDScopes": [ "openid", "profile", "email" ], "redirectURIs": [ "https://www.example.com" ], "allowedGrantTypes": [ "authorization_code" ], "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": true }
    Response Payload
    :
    The following example shows the response of the SalesForce application created in Authentication Hub using the
    OIDC protocol
    .
    { "status": "active", "name": "salesforce-app", "description": "Application for Salesforce integration", "clientType": "CONFIDENTIAL", "allowedOpenIDScopes": [ "openid", "profile", "email" ], "redirectURIs": [ "https://www.example.com" ], "allowedGrantTypes": [ "authorization_code" ], "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": true, "appId": "06c3cd12-20d2-4c89-8cc8-df429e3945e4", "createdBy": { "principalType": "CLIENT", "principalId": "006eddf2-ea8d-46b6-8c9b-2c355bf81aa2", "principalName": "defaulttenantclient" }, "createdDateTime": "2020-06-23 04:28 AM UTC", "secret": "c380f534-144d-44ac-b9e2-47a1dcfac5e1", "clientId": "5770ce5b-7252-4b9b-a7bd-da624c891fca" }
    For OIDC application
    • Make a note of the
      clientId
      and
      secret
      attributes as these will be used to update
      Consumer Key
      and
      Consumer Secret in the next section.
    • At this stage, you do not have a SalesForce callback url. You need to update the redirect uri once SalesForce establishes an Auth Provider.
Configuration at SalesForce
After creating the application in Authentication Hub, perform the following configurations at SalesForce:
  1. Log into the SalesForce site.
  2. Navigate to
    Setup > Security Controls > Auth. Providers.
  3. Click
    New
    to add
    VIP Authentication Hub
    OIDC Client information and endpoints.
  4. Configure the Consumer Key and the Consumer secret.
    Add the value of
    clientId
    in Consumer Key and value of
    secret in Consumer Secret
    that you have obtained from Authentication Hub. See note the credentials step.
  5. Configure the following
    VIP Authentication Hub
    OIDC endpoints:
    Replace the <ssp_host> with appropriate hostname.
    1. Authorize Endpoint URL
      : https://<ssp_host>/default/oauth2/v1/authorize
    2. Token Endpoint URL
      : https://<ssp_host>/default/oauth2/v1/token
    3. UserInfo Endpoint URL
      : https://<ssp_host>/default/oauth2/v1/userinfo
    4. (OPTIONAL)
      Token Issuer
      : https://<ssp_host>/default/
  6. Set the
    Default Scopes
    as
    openid profile email.
  7. Click the
    Auto Generate Registration handler link in the Registration Handler field.
    This is required for SalesForce to generate the SSO initialization URL.
  8. In the
    Run as User
    field, select
    Search
    and then select
    LoggedIn
    user.
  9. Save the configuration.
    The following URLs are generated at this point:
    • Test-Only Initialization URL
    • Single Sign-On Initialization URL
    • Existing User Linking URL
    • Oauth-Only Initialization URL
    • Callback URL
  10. Copy the
    Callback,
    Existing User Linking
    and
    Single Sign-On
    URLs.
  11. Next step is to perform the SalesForce configuration at Auhtentication Hub. See Updating the Client Config at
    VIP Authentication Hub
    section
    .
Updating the Client Config at
VIP Authentication Hub
At this stage, you have obtained the SalesForce callback URL.
  1. Perform a Put call to update the SalesForce application with the callback URL by using the following endpoint:
    https://{{sspHost}}/{{tenantName}}/admin/v1/Apps/{{clientAppId}}
    Example of Put call to update the SalesForce callback URL
    { "status": "active", "name": "salesforce-app", "description": "Application for Salesforce integration", "clientType": "CONFIDENTIAL", "allowedOpenIDScopes": [ "openid", "profile", "email" ], "redirectURIs": [ "https://www.example.com",
    "https://<salesforce callback URL>"
    ], "allowedGrantTypes": [ "authorization_code" ], "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": true }
Linking Accounts
In this step, you are linking the
VIP Authentication Hub
User Id with the SalesForce account.
  1. Open the
    Existing User Linking
    URL in a browser. This URL is provided to you when you save the Auth.Providers configuration at SalesForce.
    You are redirected to the
    VIP Authentication Hub
    Auth UI for authentication.
  2. After a successful authentication, you will be displayed the SalesForce login page.
  3. Login with SalesForce User details.
    You may be prompted to authenticate with OTP, before proceeding with the
    Link Accounts
    . If you are prompted, authenticate with OTP.
  4. Once you have authenticated successfully, click
    Link Accounts
    .
    You are redirected to the SalesForce site.
  5. Navigate to
    Setup > Manage Users > Users
    > and then click the
    Logged in user link.
  6. Navigate to the
    Third-Party
    Account.
    This displays the
    VIP Authentication Hub
    user id as one of the linked accounts along with the
    Auth Provider Name.
Logging into SalesForce Using
VIP Authentication Hub
Account
  1. Once your account linking is successful, open the
    Single Sign-On
    URL and the SalesForce Auth. Provider URL in a browser.
    You are redirected to the
    VIP Authentication Hub
    Auth UI login page.
  2. Once you have authenticated successfully, you are redirected to the secure site.

Example: Integrating a SAML Service Provider with Authentication Hub

SAMLFlow
Authentication Hub Operating as an Identity Provider
In the following steps, Authentication Hub is operating as a SAML Identity Provider and assuming SalesForce as the Service Provider. 
Follow these steps:
  1. Register Authentication Hub as an Identity Provider with the Service Provider.
    1. Log into the SalesForce site.
    2. Navigate to
      Setup > Security Controls > Single Sign-On Settings.
    3. Click "
      New From Metadata
      " file to add
      VIP Authentication Hub
      SAML information.
    4. Select the metadata file from your system and click
      Create.
    5. Configure the following
      VIP Authentication Hub
      SAML attributes:
      1. Name
      2. Issuer
      3. Identity Provider Certificate
      4. SAML Identity Type - Set to the default -
        Assertion contains the User's Salesforce username
      5. SAML Identity Location - Set to the default -
        Identity is in the NameIdentifier element of the Subject statement
      6. Service Provider Initiated Request Binding - Set to the default -
        HTTP Redirect
      7. Identity Provider Login URL
    6. Save
      the configuration.
      The following URLs are generated at this point:
      • Login URL
      • Logout URL
  2. Download the Service Provider's metadata.
    The following is a sample of IDP metadata that can be downloaded from a service provider:
    <?xml version="1.0" encoding="UTF-8"?>md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://de-template-may-7-15-dev-ed.my.salesforce.com" validUntil="2033-10-14T09:07:20.522Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIEhDCCA2ygAwIBAgIOAYs83+C3AAAAAFVR+ucwDQYJKoZIhvcNAQELBQAwgYMxGzAZBgNVBAMMElNTUF9DZXJ0X09jdDE3MjAyMzEYMBYGA1UECwwPMDBENWcwMDAwMEw4Wjd6MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTAeFw0yMzEwMTcwOTAzMDZaFw0yNDEwMTcwMDAwMDBaMIGDMRswGQYDVQQDDBJTU1BfQ2VydF9PY3QxNzIwMjMxGDAWBgNVBAsMDzAwRDVnMDAwMDBMOFo3ejEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCE1sHpjoiZ3d1YGn6PriYCcNH310OkyqKn0fJm6wtzXkKiI6AhoC///2RUJZzbhfre3YvYaU/6o3W6BnOM21YXbYHdpKpX5zuo360fr+cP/vc5HWb5d3zP2cFNCcbrD4cy8tXOQaehAAg2bVUT5pFgm9IE+hLSfJLLqz2Q8miTSKGgPLa2tu+D8KCYcv2uRMt8OpCf2BzZ66xlit0y9c4aGD6XbHuu4iCNUCtVP8V7a5xz5c1zk3OXXg7YHqzp3VjfG9Mcy9WjQcW/bupOsJECVyAo/5rZSLcM12+hJks7y7ieHkelEgNrLysDnIotKh0mN4TWOBzmkn/uNZunxv7PAgMBAAGjgfMwgfAwHQYDVR0OBBYEFGoiSOhQET3675k7AVRI/mHuD9K7MA8GA1UdEwEB/wQFMAMBAf8wgb0GA1UdIwSBtTCBsoAUaiJI6FARPfrvmTsBVEj+Ye4P0ruhgYmkgYYwgYMxGzAZBgNVBAMMElNTUF9DZXJ0X09jdDE3MjAyMzEYMBYGA1UECwwPMDBENWcwMDAwMEw4Wjd6MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQYIOAYs83+C3AAAAAFVR+ucwDQYJKoZIhvcNAQELBQADggEBAB0YEyKx8KEwgqFYp9OumcvPLe+GjIscQDwAYlPtkWXOvLuLvzFtLoVik3e/Et8R6kqjjbYmAFsNaCHbJQZ+1+SQJD9qtWIl4Od5y1Fie/b0aWGed0vjEVwelGoSI4SM1T6L0fVnQuhidL+gicc8m56a4pU+/7yA3vxW31KBIuVa3nwbFrOdgsWQrJENnIfY3M0CPtHfhXcvRvxV6CC878UrNZROsmm9XkMluHdd/PuTlP5vHCMbY/M6t0vr6fBgQ2A3tUWRbYY3uV/81o5u6s6LnPwUb2fJ0QMbYGMO+gnIopkyLJzVLSy081azhXxSy6Cy2NpJ/WQsNOuSBMDaxHo=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://broadcominc-dev-ed.develop.my.salesforce.com/idp/endpoint/HttpPost"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://broadcominc-dev-ed.develop.my.salesforce.com/idp/endpoint/HttpRedirect"/> </md:IDPSSODescriptor> </md:EntityDescriptor>
  3. Register a SAML application on behalf of the service provider in Authentication Hub. For more information on how to create an app in Authentication Hub, see Managing Application. Configure the application using the information provided in the Service Provider's metadata that you have downloaded in the previous step.
    1. Use the following endpoint to register an application in Authentication Hub:
      POST https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Apps
    2. The following table describes the SAML attributes that need to be configured in the application to register it as a SAML service provider:
      Attribute Name
      Description
      samlEntityId
      This attribute corresponds to the entityID provided by the Service Provider.
      • In the Service Provider Initiated flow, the "samlEntityId" should match the Issuer in authentication request.
      • In the IDP initiated flow, if the entityId is provided in the request parameter, it should match the configured "samlEntityId" to point to the configured application.
      samlAcsUrl
      This is the "AssertionConsumerService" URL obtained from the service provider, where the SAML response is sent to.
      samlEnableSingleLogout
      This attribute indicates that if a user logs out of Authentication Hub , they will be logged out of the Service Provider.  
      samlNameIdFormat
      This is the "NameID" format that is supported for the Subject.
      Supported formats are:
      emailAddress, unspecified , X509SubjectName
      samlVerifyRequestSignature
      This attriute indicates whether the signature of the received SAML Authentication request should be verified or not.
      samlVerifyCertAlias
      If "samlVerifyRequestSignature"="true", this attribute is mandatory, and refers to the alias of the certificate used for verification. The certificate can be imported in either ways:
      • Imported automatically from the Service Provider (SP) metadata, if SP metadata xml is available.
      • Imported manually using the ".../admin/v1/Certs" API.
      samlEncryptSAMLResponse
      This is a boolean attribute that indicates, if SAML Response sent by Authentication Hub should be encrypted or not.
      samlEncryptCertAlias
      If "samlEncryptSamlResponse"="true", this attribute is mandatory and refers to the alias of the certificate used for verification. The certificate can be imported in either ways:
      • Imported automatically from the Service Provider (SP) metadata, if SP metadata xml is available.
      • Imported manually using the ".../admin/v1/Certs" API.
      samlIdpInitiatedRelaystateMapping
      This attribute defines the mapping b/w relayState provided during the IDP Initiated flow and actual relative URL of the app , where the flow will end.
      "samlIdpInitiatedRelaystateMapping": {        "PORTAL": "test/Users/home" }
      samlAssertionClaims
      The "samlAssertionClaims" attribute lets you configure custom SAML claims for an application.
      VIP Authentication Hub
      includes these custom SAML claims in the Identity and/or Access tokens on behalf of this application as a Relying Party.
      Syntax:
      "samlAssertionClaims": [ { "name": "<claim-name>", "value": "${<namespace>.<property>}" } ]
      • name:
        Specifies the name of the custom SAML claim to be included in the token.
      • value
        : Specifies the SAML claim value. This can contain dynamic environment variables which will be substituted with their corresponding variable value, when this attribute is used. See Dynamic Environment Variable Substitution.
      Example:
      "samlAssertionClaims": [ { "name": "_branchname", "value": "${idProfile.branch}" }, { "name": "_region", "value": "${appMetadata.region}" }, { "name": "_accountnumber", "value": "${idToken.accountnumber}" } { "name": "_transactionIdentifier", "value": "${clientContext.transactionIdentifier}" } ]
      For more information, see Custom Token Claims.
      samlUserTokenSubAttributeMappingName
      This is the name of the logical id store attribute whose physical id store attribute's value is to be placed in the "sub" token claims for IT and AT issued to this application. This logical attribute has to appear as one of the mappings in the "attributeMapping" property of the id store config resource.
      samlSignatureWithKeyInfo
      This is a boolean attribute that indicates, if SAML signature should include the KeyInfo or not.
      samlSignResponse
      This is a boolean attribute that indicates, if SAML response sent by Authentication Hub should be signed or not.
      samlSignAssertion
      This is a boolean attribute that indicates, if SAML Assertion sent by Authentication Hub as part of the SAML response should be signed or not.
      Sample SAML App API request:
      { "status": "active", "name": "SP-saml", "description": "Application for SP integration", "samlAssertionClaims": [ { "name": "ctry", "value": "${idProfile.ctry}" }, { "name": "fname", "value": "${idProfile.fname}" }, { "name": "lname", "value": "${idProfile.lname}" } ], "samlUserTokenSubAttributeMappingName": "user_loginid", "samlEntityId": "https://www.sp.com", "samlAcsUrl": "https://www.sp.com/saml/acs", "samlEnableSingleLogout": false, "samlNameIdFormat": "unspecified", "samlVerifyRequestSignature": false, "samlVerifyCertAlias": null, "samlEncryptSamlResponse": false, "samlEncryptCertAlias": null, "samlIdpInitiatedRelaystateMapping": {} }
      Sample SAML App API response:
      { "status": "active", "name": "SP-saml", "description": "Application for SP integration", "clientType": "CONFIDENTIAL", "allowedOpenIDScopes": [ "openid", "profile", "email" ], "redirectURIs": [ "www.example.com" ], "allowedGrantTypes": [ "implicit", "authorization_code" ], "flowURL": null, "deviceCodeFlowURL": null, "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": true, "skipEmailForIT": false, "idpDiscoveryEnabled": null, "zeroFootPrint": false, "softMFAEnabled": false, "delegatedAuthentication": false, "autoPostToFlowURL": false, "userTokenSubAttributeMappingName": null, "supportedJoseHeaderParams": null, "claims": [], "allowedOperations": null, "secondaryAudiences": null, "assertionVerificationCertAlias": null, "appIcon": null, "secret": "388a1f0d-7dd1-45e9-915f-341346970ded", "clientId": "cac65437-3588-4b61-989b-45a56bdc18df", "itEncryptionTarget": "NONE", "itEncryptionCertAlias": null, "userInfoEncryptionCertAlias": null, "samlEntityId": "https://www.sp.com/saml2/service-provider/splylemeeypkgaksryyt", "samlAcsUrl": "https://sp.com/sso/saml2/0oadhf7dftXhv66I85d7", "samlEnableSingleLogout": false, "samlNameIdFormat": "unspecified", "samlVerifyRequestSignature": false, "samlVerifyCertAlias": null, "samlEncryptSamlResponse": false, "samlEncryptCertAlias": null, "samlSignResponse": false, "samlSignAssertion": true, "samlSignatureWithKeyInfo": true, "samlIdpInitiatedRelaystateMapping": { "PORTAL": "home" }, "samlAssertionClaims": [], "samlUserTokenSubAttributeMappingName": null, "skewTimeSecs": 0, "passwordAuthoritativeSource": "remote", "mitmProtectionLevel": null, "idStoreToUse": null, "samlEffectiveIdpInitiatedUrlWithEntityId": "https://idp.com/default/saml/v1/idp/login?entityId=https://www.sp.com/saml2/service-provider/splylemeeypkgaksryyt", "samlEffectiveIdpInitiatedUrlWithAppId": "https://idp.com/default/saml/v1/idp/login?appId=eaeb66b0-30b5-4852-8dc6-e79664b2d7ac", "samlEffectiveSpAcsUrlWithEntityId": "https://idp.com/default/saml/v1/sp/acs?sp=https://www.okta.com/saml2/service-provider/splylemeeypkgaksryyt", "samlEffectiveSpAcsUrlWithAppId": "https://idp.com/default/saml/v1/sp/acs?sp=eaeb66b0-30b5-4852-8dc6-e79664b2d7ac", "samlEffectiveSpAcsUrlWithAppName": "https://idp.com/default/saml/v1/sp/acs?sp=sp-saml", "errorUrl": null, "appId": "eaeb66b0-30b5-4852-8dc6-e79664b2d7ac", "createdBy": { "principalType": "CLIENT", "principalId": "17784384-e37b-4c7a-8d09-3d8b1a7a72c7", "principalName": "DefaultTenantClient" }, "createdDateTime": "2023-11-25 04:10 PM UTC", "updatedDateTime": "2023-11-25 04:10 PM UTC", }
      Where,
      • samlEffectiveIdpInitiatedUrlWithEntityId: - This is the IDP initiated URL for the application (when Authentication Hub acts as the SAML IDP), with the configured SAML Entity Id for the application.
      • samlEffectiveIdpInitiatedUrlWithAppId: This is the IDP initiated URL to be used for the application (when Authentication Hub acts as the SAML IDP) with the App Id for the application.
      • samlEffectiveSpAcsUrlWithEntityId: This is the AssertionConsumerService URL to be configured with External IDP, when IDP Initiated flow is invoked by the External Identity Provider (when Authentication Hub acts as the Service Provider) and underlying application is identified by the Entity Id.
      • samlEffectiveSpAcsUrlWithAppId: This is the AssertionConsumerService URL to be configured with External IDP, when IDP Initiated flow is invoked by the External Identity Provider (when Authentication Hub acts as the Service Provider) and underlying application is identified by the App Id.
      • samlEffectiveSpAcsUrlWithAppName: This is the AssertionConsumerService URL to be configured with External IDP, when IDP Initiated flow is invoked by the External Identity Provider (when Authentication Hub acts as the Service Provider) and underlying application is identified by the App Name.
    3. After creating an application in Authentication Hub on behalf of the Service Provider, the Authentication Hub's IDP metadata can be downloaded using the following endpoint:
      POST https://SSP_HOSTNAME/default/saml/v1/metadata
      If the Service Provider supports metadata import, the XML file can be directly provided. Otherwise, the necessary information must be manually provided.
    4. Define the Authentication Policy in Authentication Hub to authenticate the user.  See Authentication Policy
  4. Initiate the authentication flow. There are two ways to invoke the authentication flow:
    • Identity Provider Initiated Flow
      : As an Identity Provider, you can initiate the authentication flow to access the application by using one of the following endpoints:
      • https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login?entityId=<samlEntityId of the SP application registered>
      • https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login?appId=<appId of the SP application registered>
      • https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login?name=<name of the SP application registered>
    • Service Provider Initiated Flow
      : Perform the following step:
      1. Navigate to
        Domain Management
        My Domain in SalesForce
      2. Edit the
        Authentication Configuration
        section and select the Authentication Hub
        Authentication Service
        .
      3. Click
        Save
        .
        This step will enable the Authentication Hub login page when you inititate the authentication flow as a service Provider.
    • Now, you can initiate the authentication flow as a service Provider to access the application by using the following login endpoint:
      https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login
      .  This step will result in the following outcomes:
      • The user is authenticated based on the factors defined in the policy.
      • SAML response is sent back to the service provider.