Authentication Hub Operating as an Identity Provider
In this scenario, the Authentication Hub provides authentication services to a Service Provider (SP), which could be another application or a service.
The interaction between the Authentication Hub functioning as an Identity Provider (IDP) with the Service Provider (SP) typically perform the following steps for user authentication:
- The SP relies on the Authentication Hub to authenticate its users.
- Users attempting to access the SP are redirected to the Authentication Hub for authentication.
- After successful authentication, the Authentication Hub sends an assertion or token back to the SP.
- The SP trusts this assertion and grants the user access to the SP's resource.
To accomplish the above steps, configurations need to be implemented on both ends, both at the Authentication Hub (IDP) and the Service Provider's (SP) end. These configurations enable the connection between the two parties and initiate the federated authentication flow.
To extend authentication services to an external service provider, create an application within Authentication Hub through the Admin Console or Authentication Hub APIs. This involves configuring the necessary details obtained from the Service Provider's metadata to set up the application within Authentication Hub.
OIDC Flow
Authentication Hub Operating as an Identity Provider
In the following steps, Authentication Hub is operating as an Identity Provider. Follow these steps to configure an external Service Provider in Authentication Hub:
- Download the Service Provider's metadata.The service provider creates an IDP at their end. Once the Service Provider creates the IDP with the details from Authentication Hub and saves it, this information in the form of metadata is downloadable by Authentication Hub from the Service Provider's site.The following is a sample of IDP metadata that can be downloaded from a service provider:<?xml version="1.0" encoding="UTF-8"?>md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://de-template-may-7-15-dev-ed.my.salesforce.com" validUntil="2033-10-14T09:07:20.522Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIEhDCCA2ygAwIBAgIOAYs83+C3AAAAAFVR+ucwDQYJKoZIhvcNAQELBQAwgYMxGzAZBgNVBAMMElNTUF9DZXJ0X09jdDE3MjAyMzEYMBYGA1UECwwPMDBENWcwMDAwMEw4Wjd6MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTAeFw0yMzEwMTcwOTAzMDZaFw0yNDEwMTcwMDAwMDBaMIGDMRswGQYDVQQDDBJTU1BfQ2VydF9PY3QxNzIwMjMxGDAWBgNVBAsMDzAwRDVnMDAwMDBMOFo3ejEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCE1sHpjoiZ3d1YGn6PriYCcNH310OkyqKn0fJm6wtzXkKiI6AhoC///2RUJZzbhfre3YvYaU/6o3W6BnOM21YXbYHdpKpX5zuo360fr+cP/vc5HWb5d3zP2cFNCcbrD4cy8tXOQaehAAg2bVUT5pFgm9IE+hLSfJLLqz2Q8miTSKGgPLa2tu+D8KCYcv2uRMt8OpCf2BzZ66xlit0y9c4aGD6XbHuu4iCNUCtVP8V7a5xz5c1zk3OXXg7YHqzp3VjfG9Mcy9WjQcW/bupOsJECVyAo/5rZSLcM12+hJks7y7ieHkelEgNrLysDnIotKh0mN4TWOBzmkn/uNZunxv7PAgMBAAGjgfMwgfAwHQYDVR0OBBYEFGoiSOhQET3675k7AVRI/mHuD9K7MA8GA1UdEwEB/wQFMAMBAf8wgb0GA1UdIwSBtTCBsoAUaiJI6FARPfrvmTsBVEj+Ye4P0ruhgYmkgYYwgYMxGzAZBgNVBAMMElNTUF9DZXJ0X09jdDE3MjAyMzEYMBYGA1UECwwPMDBENWcwMDAwMEw4Wjd6MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQYIOAYs83+C3AAAAAFVR+ucwDQYJKoZIhvcNAQELBQADggEBAB0YEyKx8KEwgqFYp9OumcvPLe+GjIscQDwAYlPtkWXOvLuLvzFtLoVik3e/Et8R6kqjjbYmAFsNaCHbJQZ+1+SQJD9qtWIl4Od5y1Fie/b0aWGed0vjEVwelGoSI4SM1T6L0fVnQuhidL+gicc8m56a4pU+/7yA3vxW31KBIuVa3nwbFrOdgsWQrJENnIfY3M0CPtHfhXcvRvxV6CC878UrNZROsmm9XkMluHdd/PuTlP5vHCMbY/M6t0vr6fBgQ2A3tUWRbYY3uV/81o5u6s6LnPwUb2fJ0QMbYGMO+gnIopkyLJzVLSy081azhXxSy6Cy2NpJ/WQsNOuSBMDaxHo=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://broadcominc-dev-ed.develop.my.salesforce.com/idp/endpoint/HttpPost"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://broadcominc-dev-ed.develop.my.salesforce.com/idp/endpoint/HttpRedirect"/> </md:IDPSSODescriptor> </md:EntityDescriptor>
- Create an OIDC application in Authentication Hub for the service provider.Use the following Application API to create a new application in Authentication Hub:https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Apps:Creating Application Using OIDC ProtocolThe following example shows the request payload of the ".../admin/v1/Apps" API using the OIDC Protocol. In addition to the obligatory attributes displayed in the sample, there are several optional attributes that can be included in the payload by performing a PATCH call.
For more information on how to create an app and to know about the description of the attributes in Authentication Hub, see Managing Application.{ "status": "active", "name": "democlient", "description": "Demo client to perform tenant level operations for demo purpose.", "clientType": "TRUSTED", "allowedOpenIDScopes": [ "address", "phone", "openid", "profile", "groups", "email" ], "redirectURIs": [ "https://www.example.com" ], "allowedGrantTypes": [ "refresh_token", "implicit", "client_credentials", "authorization_code", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "flowURL": null, "deviceCodeFlowURL": null, "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": false, "skipEmailForIT": false, "zeroFootPrint": false, "softMFAEnabled": false, "userTokenSubAttributeMappingName": null, "supportedJoseHeaderParams": null, "claims": [ { "name": "_title", "target": "at,it", "value": "${idProfile.title}" }, { "name": "_idp_name", "target": "at,it", "value": "${idToken.idp_name}" }, { "name": "_env", "target": "at,it", "value": "${appMetadata}.env}" } { "name": "_acct_num", "target": "at,it", "value": "12345" } { "name": "_transactionIdentifier", "target": "at,it", "value": "${clientContext.transactionIdentifier}" } ], "allowedOperations": [ "itgroups", "atgroups", "introspect" ], "secondaryAudiences": [ "env=blue", "https://consumer.com/myapi" ], "assertionVerificationCertAlias": null, "appIcon": null, "secret": "b62989d7-b992-4a77-88c8-5f6595eeedf3", "clientId": "b72ca551-59ec-4e07-ac5b-d09f19c663a8", "itEncryptionTarget": "NONE", "itEncryptionCertAlias": null, "userInfoEncryptionCertAlias": null, }
Example: Integrating an OIDC Service Provider with Authentication Hub
In the following scenario, Authentication Hub operates as an Identity Provider, and Salesforce functions as the Service Provider. Configurations must be applied on both ends to establish the connection between the two parties and initiate the federated authentication flow. Therefore the integration setup between both the parties have been described though the following steps.
Prerequisites
- A Public IP Machine or a Cloud Provider that has a Kubernetes cluster that is provisioned andVIP Authentication Hubdeployed on it.
- An active SalesForce account to perform the integration.
- The Standard OpenID Connect claims are mapped in theVIP Authentication HubLDAPconfig using attributeMapping. Ensure to use latest postman collection for creating LDAPconfig. Also, note that the user that has been used for SalesForce use case must have values for all the attributes in the LDAP ID Store as per mappings in the Authentication Hub ldapconfig.
- Ensure that you use CA Signed certificate to enable SSL to the ingress controller. This implies that allVIP Authentication Huburls with https should use proper CA signed certificates. This is important as thehttps://ssp_host/default/oauth2/v1/token endpointgets called from the backend SalesForce server to trust the certificate chain.
- When using OpenID Connect protocol to integrate withVIP Authentication Hub, ensure that your app has the redirectURI, allowedOpenIDScopes, allowedGrantTypes, and allowedOperations configured. See API Security Using OAuth2 for more information.
This topic includes the following sections:
The following example is indicative of SalesForce as a Service Provider in Authentication Hub.
The steps outlined in this section detail the procedure of configuring SalesForce as an external service provider in Authentication Hub.
Perform the following steps:
- Download the Service Provider's metadata. This step is already covered above in this page. See Downloading Service Provider's metadata step.
- Create an application to register SalesForce inVIP Authentication Hubusing the following API:https://<ssp_host>/default/admin/v1/AppsEnsure that the request payload has the following attributes configured:
- "userInfoEndpointResponseFormat": "PLAIN_JSON"
- "skipIssuerAudienceForIT": true
The examples in this section describe the creation of application using OIDC protocol.Sample of an OIDC application:Request PayloadThe following example shows the request payload while creating a SalesForce application in Authentication Hub using the.OIDC protocol{ "status": "active", "name": "salesforce-app", "description": "Application for Salesforce integration", "clientType": "CONFIDENTIAL", "allowedOpenIDScopes": [ "openid", "profile", "email" ], "redirectURIs": [ "https://www.example.com" ], "allowedGrantTypes": [ "authorization_code" ], "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": true }:Response PayloadThe following example shows the response of the SalesForce application created in Authentication Hub using the.OIDC protocol{ "status": "active", "name": "salesforce-app", "description": "Application for Salesforce integration", "clientType": "CONFIDENTIAL", "allowedOpenIDScopes": [ "openid", "profile", "email" ], "redirectURIs": [ "https://www.example.com" ], "allowedGrantTypes": [ "authorization_code" ], "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": true, "appId": "06c3cd12-20d2-4c89-8cc8-df429e3945e4", "createdBy": { "principalType": "CLIENT", "principalId": "006eddf2-ea8d-46b6-8c9b-2c355bf81aa2", "principalName": "defaulttenantclient" }, "createdDateTime": "2020-06-23 04:28 AM UTC", "secret": "c380f534-144d-44ac-b9e2-47a1dcfac5e1", "clientId": "5770ce5b-7252-4b9b-a7bd-da624c891fca" }For OIDC application- Make a note of theclientIdandsecretattributes as these will be used to updateConsumer KeyandConsumer Secret in the next section.
- At this stage, you do not have a SalesForce callback url. You need to update the redirect uri once SalesForce establishes an Auth Provider.
Configuration at SalesForce
After creating the application in Authentication Hub, perform the following configurations at SalesForce:
- Log into the SalesForce site.
- Navigate toSetup > Security Controls > Auth. Providers.
- ClickNewto addVIP Authentication HubOIDC Client information and endpoints.
- Configure the Consumer Key and the Consumer secret.Add the value ofclientIdin Consumer Key and value ofsecret in Consumer Secretthat you have obtained from Authentication Hub. See note the credentials step.
- Configure the followingVIP Authentication HubOIDC endpoints:Replace the <ssp_host> with appropriate hostname.
- Authorize Endpoint URL: https://<ssp_host>/default/oauth2/v1/authorize
- Token Endpoint URL: https://<ssp_host>/default/oauth2/v1/token
- UserInfo Endpoint URL: https://<ssp_host>/default/oauth2/v1/userinfo
- (OPTIONAL)Token Issuer: https://<ssp_host>/default/
- Set theDefault Scopesasopenid profile email.
- Click theAuto Generate Registration handler link in the Registration Handler field.This is required for SalesForce to generate the SSO initialization URL.
- In thefield, selectRun as Userand then selectSearchLoggedInuser.
- Save the configuration.The following URLs are generated at this point:
- Test-Only Initialization URL
- Single Sign-On Initialization URL
- Existing User Linking URL
- Oauth-Only Initialization URL
- Callback URL

- Copy theCallback,Existing User LinkingandSingle Sign-OnURLs.
- Next step is to perform the SalesForce configuration at Auhtentication Hub. See Updating the Client Config atVIP Authentication Hubsection.
Updating the Client Config at
VIP Authentication Hub
At this stage, you have obtained the SalesForce callback URL.
- Perform a Put call to update the SalesForce application with the callback URL by using the following endpoint:https://{{sspHost}}/{{tenantName}}/admin/v1/Apps/{{clientAppId}}Example of Put call to update the SalesForce callback URL{ "status": "active", "name": "salesforce-app", "description": "Application for Salesforce integration", "clientType": "CONFIDENTIAL", "allowedOpenIDScopes": [ "openid", "profile", "email" ], "redirectURIs": [ "https://www.example.com","https://<salesforce callback URL>"], "allowedGrantTypes": [ "authorization_code" ], "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": true }
Linking Accounts
In this step, you are linking the
VIP Authentication Hub
User Id with the SalesForce account.- Open theExisting User LinkingURL in a browser. This URL is provided to you when you save the Auth.Providers configuration at SalesForce.You are redirected to theVIP Authentication HubAuth UI for authentication.
- After a successful authentication, you will be displayed the SalesForce login page.
- Login with SalesForce User details.You may be prompted to authenticate with OTP, before proceeding with theLink Accounts. If you are prompted, authenticate with OTP.
- Once you have authenticated successfully, clickLink Accounts.You are redirected to the SalesForce site.
- Navigate toSetup > Manage Users > Users> and then click theLogged in user link.
- Navigate to theThird-PartyAccount.This displays theVIP Authentication Hubuser id as one of the linked accounts along with theAuth Provider Name.
Logging into SalesForce Using
VIP Authentication Hub
Account- Once your account linking is successful, open theSingle Sign-OnURL and the SalesForce Auth. Provider URL in a browser.You are redirected to theVIP Authentication HubAuth UI login page.
- Once you have authenticated successfully, you are redirected to the secure site.
Example: Integrating a SAML Service Provider with Authentication Hub
SAMLFlow
Authentication Hub Operating as an Identity Provider
In the following steps, Authentication Hub is operating as a SAML Identity Provider and assuming SalesForce as the Service Provider.
Follow these steps:
- Register Authentication Hub as an Identity Provider with the Service Provider.
- Log into the SalesForce site.
- Navigate to
- Click "New From Metadata" file to addVIP Authentication HubSAML information.
- Select the metadata file from your system and clickCreate.
- Configure the followingVIP Authentication HubSAML attributes:
- Name
- Issuer
- Identity Provider Certificate
- SAML Identity Type - Set to the default -Assertion contains the User's Salesforce username
- SAML Identity Location - Set to the default -Identity is in the NameIdentifier element of the Subject statement
- Service Provider Initiated Request Binding - Set to the default -HTTP Redirect
- Identity Provider Login URL
- Savethe configuration.The following URLs are generated at this point:
- Login URL
- Logout URL

- Download the Service Provider's metadata.The following is a sample of IDP metadata that can be downloaded from a service provider:<?xml version="1.0" encoding="UTF-8"?>md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://de-template-may-7-15-dev-ed.my.salesforce.com" validUntil="2033-10-14T09:07:20.522Z" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIEhDCCA2ygAwIBAgIOAYs83+C3AAAAAFVR+ucwDQYJKoZIhvcNAQELBQAwgYMxGzAZBgNVBAMMElNTUF9DZXJ0X09jdDE3MjAyMzEYMBYGA1UECwwPMDBENWcwMDAwMEw4Wjd6MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTAeFw0yMzEwMTcwOTAzMDZaFw0yNDEwMTcwMDAwMDBaMIGDMRswGQYDVQQDDBJTU1BfQ2VydF9PY3QxNzIwMjMxGDAWBgNVBAsMDzAwRDVnMDAwMDBMOFo3ejEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCE1sHpjoiZ3d1YGn6PriYCcNH310OkyqKn0fJm6wtzXkKiI6AhoC///2RUJZzbhfre3YvYaU/6o3W6BnOM21YXbYHdpKpX5zuo360fr+cP/vc5HWb5d3zP2cFNCcbrD4cy8tXOQaehAAg2bVUT5pFgm9IE+hLSfJLLqz2Q8miTSKGgPLa2tu+D8KCYcv2uRMt8OpCf2BzZ66xlit0y9c4aGD6XbHuu4iCNUCtVP8V7a5xz5c1zk3OXXg7YHqzp3VjfG9Mcy9WjQcW/bupOsJECVyAo/5rZSLcM12+hJks7y7ieHkelEgNrLysDnIotKh0mN4TWOBzmkn/uNZunxv7PAgMBAAGjgfMwgfAwHQYDVR0OBBYEFGoiSOhQET3675k7AVRI/mHuD9K7MA8GA1UdEwEB/wQFMAMBAf8wgb0GA1UdIwSBtTCBsoAUaiJI6FARPfrvmTsBVEj+Ye4P0ruhgYmkgYYwgYMxGzAZBgNVBAMMElNTUF9DZXJ0X09jdDE3MjAyMzEYMBYGA1UECwwPMDBENWcwMDAwMEw4Wjd6MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQYIOAYs83+C3AAAAAFVR+ucwDQYJKoZIhvcNAQELBQADggEBAB0YEyKx8KEwgqFYp9OumcvPLe+GjIscQDwAYlPtkWXOvLuLvzFtLoVik3e/Et8R6kqjjbYmAFsNaCHbJQZ+1+SQJD9qtWIl4Od5y1Fie/b0aWGed0vjEVwelGoSI4SM1T6L0fVnQuhidL+gicc8m56a4pU+/7yA3vxW31KBIuVa3nwbFrOdgsWQrJENnIfY3M0CPtHfhXcvRvxV6CC878UrNZROsmm9XkMluHdd/PuTlP5vHCMbY/M6t0vr6fBgQ2A3tUWRbYY3uV/81o5u6s6LnPwUb2fJ0QMbYGMO+gnIopkyLJzVLSy081azhXxSy6Cy2NpJ/WQsNOuSBMDaxHo=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://broadcominc-dev-ed.develop.my.salesforce.com/idp/endpoint/HttpPost"/> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://broadcominc-dev-ed.develop.my.salesforce.com/idp/endpoint/HttpRedirect"/> </md:IDPSSODescriptor> </md:EntityDescriptor>
- Register a SAML application on behalf of the service provider in Authentication Hub. For more information on how to create an app in Authentication Hub, see Managing Application. Configure the application using the information provided in the Service Provider's metadata that you have downloaded in the previous step.
- Use the following endpoint to register an application in Authentication Hub:POST https://{{sspHost}}/{{apiPathTenant}}/admin/v1/Apps
- The following table describes the SAML attributes that need to be configured in the application to register it as a SAML service provider:Attribute NameDescriptionsamlEntityIdThis attribute corresponds to the entityID provided by the Service Provider.
- In the Service Provider Initiated flow, the "samlEntityId" should match the Issuer in authentication request.
- In the IDP initiated flow, if the entityId is provided in the request parameter, it should match the configured "samlEntityId" to point to the configured application.
samlAcsUrlThis is the "AssertionConsumerService" URL obtained from the service provider, where the SAML response is sent to.samlEnableSingleLogoutThis attribute indicates that if a user logs out of Authentication Hub , they will be logged out of the Service Provider.samlNameIdFormatThis is the "NameID" format that is supported for the Subject.Supported formats are:emailAddress, unspecified , X509SubjectNamesamlVerifyRequestSignatureThis attriute indicates whether the signature of the received SAML Authentication request should be verified or not.samlVerifyCertAliasIf "samlVerifyRequestSignature"="true", this attribute is mandatory, and refers to the alias of the certificate used for verification. The certificate can be imported in either ways:- Imported automatically from the Service Provider (SP) metadata, if SP metadata xml is available.
- Imported manually using the ".../admin/v1/Certs" API.
samlEncryptSAMLResponseThis is a boolean attribute that indicates, if SAML Response sent by Authentication Hub should be encrypted or not.samlEncryptCertAliasIf "samlEncryptSamlResponse"="true", this attribute is mandatory and refers to the alias of the certificate used for verification. The certificate can be imported in either ways:- Imported automatically from the Service Provider (SP) metadata, if SP metadata xml is available.
- Imported manually using the ".../admin/v1/Certs" API.
samlIdpInitiatedRelaystateMappingThis attribute defines the mapping b/w relayState provided during the IDP Initiated flow and actual relative URL of the app , where the flow will end."samlIdpInitiatedRelaystateMapping": { "PORTAL": "test/Users/home" }samlAssertionClaimsThe "samlAssertionClaims" attribute lets you configure custom SAML claims for an application.VIP Authentication Hubincludes these custom SAML claims in the Identity and/or Access tokens on behalf of this application as a Relying Party.Syntax:"samlAssertionClaims": [ { "name": "<claim-name>", "value": "${<namespace>.<property>}" } ]- name:Specifies the name of the custom SAML claim to be included in the token.
- value: Specifies the SAML claim value. This can contain dynamic environment variables which will be substituted with their corresponding variable value, when this attribute is used. See Dynamic Environment Variable Substitution.
Example:"samlAssertionClaims": [ { "name": "_branchname", "value": "${idProfile.branch}" }, { "name": "_region", "value": "${appMetadata.region}" }, { "name": "_accountnumber", "value": "${idToken.accountnumber}" } { "name": "_transactionIdentifier", "value": "${clientContext.transactionIdentifier}" } ]For more information, see Custom Token Claims.samlUserTokenSubAttributeMappingNameThis is the name of the logical id store attribute whose physical id store attribute's value is to be placed in the "sub" token claims for IT and AT issued to this application. This logical attribute has to appear as one of the mappings in the "attributeMapping" property of the id store config resource.samlSignatureWithKeyInfoThis is a boolean attribute that indicates, if SAML signature should include the KeyInfo or not.samlSignResponseThis is a boolean attribute that indicates, if SAML response sent by Authentication Hub should be signed or not.samlSignAssertionThis is a boolean attribute that indicates, if SAML Assertion sent by Authentication Hub as part of the SAML response should be signed or not.Sample SAML App API request:{ "status": "active", "name": "SP-saml", "description": "Application for SP integration", "samlAssertionClaims": [ { "name": "ctry", "value": "${idProfile.ctry}" }, { "name": "fname", "value": "${idProfile.fname}" }, { "name": "lname", "value": "${idProfile.lname}" } ], "samlUserTokenSubAttributeMappingName": "user_loginid", "samlEntityId": "https://www.sp.com", "samlAcsUrl": "https://www.sp.com/saml/acs", "samlEnableSingleLogout": false, "samlNameIdFormat": "unspecified", "samlVerifyRequestSignature": false, "samlVerifyCertAlias": null, "samlEncryptSamlResponse": false, "samlEncryptCertAlias": null, "samlIdpInitiatedRelaystateMapping": {} }Where,Sample SAML App API response:{ "status": "active", "name": "SP-saml", "description": "Application for SP integration", "clientType": "CONFIDENTIAL", "allowedOpenIDScopes": [ "openid", "profile", "email" ], "redirectURIs": [ "www.example.com" ], "allowedGrantTypes": [ "implicit", "authorization_code" ], "flowURL": null, "deviceCodeFlowURL": null, "userInfoEndpointResponseFormat": "PLAIN_JSON", "skipIssuerAudienceForIT": true, "skipEmailForIT": false, "idpDiscoveryEnabled": null, "zeroFootPrint": false, "softMFAEnabled": false, "delegatedAuthentication": false, "autoPostToFlowURL": false, "userTokenSubAttributeMappingName": null, "supportedJoseHeaderParams": null, "claims": [], "allowedOperations": null, "secondaryAudiences": null, "assertionVerificationCertAlias": null, "appIcon": null, "secret": "388a1f0d-7dd1-45e9-915f-341346970ded", "clientId": "cac65437-3588-4b61-989b-45a56bdc18df", "itEncryptionTarget": "NONE", "itEncryptionCertAlias": null, "userInfoEncryptionCertAlias": null, "samlEntityId": "https://www.sp.com/saml2/service-provider/splylemeeypkgaksryyt", "samlAcsUrl": "https://sp.com/sso/saml2/0oadhf7dftXhv66I85d7", "samlEnableSingleLogout": false, "samlNameIdFormat": "unspecified", "samlVerifyRequestSignature": false, "samlVerifyCertAlias": null, "samlEncryptSamlResponse": false, "samlEncryptCertAlias": null, "samlSignResponse": false, "samlSignAssertion": true, "samlSignatureWithKeyInfo": true, "samlIdpInitiatedRelaystateMapping": { "PORTAL": "home" }, "samlAssertionClaims": [], "samlUserTokenSubAttributeMappingName": null, "skewTimeSecs": 0, "passwordAuthoritativeSource": "remote", "mitmProtectionLevel": null, "idStoreToUse": null, "samlEffectiveIdpInitiatedUrlWithEntityId": "https://idp.com/default/saml/v1/idp/login?entityId=https://www.sp.com/saml2/service-provider/splylemeeypkgaksryyt", "samlEffectiveIdpInitiatedUrlWithAppId": "https://idp.com/default/saml/v1/idp/login?appId=eaeb66b0-30b5-4852-8dc6-e79664b2d7ac", "samlEffectiveSpAcsUrlWithEntityId": "https://idp.com/default/saml/v1/sp/acs?sp=https://www.okta.com/saml2/service-provider/splylemeeypkgaksryyt", "samlEffectiveSpAcsUrlWithAppId": "https://idp.com/default/saml/v1/sp/acs?sp=eaeb66b0-30b5-4852-8dc6-e79664b2d7ac", "samlEffectiveSpAcsUrlWithAppName": "https://idp.com/default/saml/v1/sp/acs?sp=sp-saml", "errorUrl": null, "appId": "eaeb66b0-30b5-4852-8dc6-e79664b2d7ac", "createdBy": { "principalType": "CLIENT", "principalId": "17784384-e37b-4c7a-8d09-3d8b1a7a72c7", "principalName": "DefaultTenantClient" }, "createdDateTime": "2023-11-25 04:10 PM UTC", "updatedDateTime": "2023-11-25 04:10 PM UTC", }- samlEffectiveIdpInitiatedUrlWithEntityId: - This is the IDP initiated URL for the application (when Authentication Hub acts as the SAML IDP), with the configured SAML Entity Id for the application.
- samlEffectiveIdpInitiatedUrlWithAppId: This is the IDP initiated URL to be used for the application (when Authentication Hub acts as the SAML IDP) with the App Id for the application.
- samlEffectiveSpAcsUrlWithEntityId: This is the AssertionConsumerService URL to be configured with External IDP, when IDP Initiated flow is invoked by the External Identity Provider (when Authentication Hub acts as the Service Provider) and underlying application is identified by the Entity Id.
- samlEffectiveSpAcsUrlWithAppId: This is the AssertionConsumerService URL to be configured with External IDP, when IDP Initiated flow is invoked by the External Identity Provider (when Authentication Hub acts as the Service Provider) and underlying application is identified by the App Id.
- samlEffectiveSpAcsUrlWithAppName: This is the AssertionConsumerService URL to be configured with External IDP, when IDP Initiated flow is invoked by the External Identity Provider (when Authentication Hub acts as the Service Provider) and underlying application is identified by the App Name.
- After creating an application in Authentication Hub on behalf of the Service Provider, the Authentication Hub's IDP metadata can be downloaded using the following endpoint:POST https://SSP_HOSTNAME/default/saml/v1/metadataIf the Service Provider supports metadata import, the XML file can be directly provided. Otherwise, the necessary information must be manually provided.
- Define the Authentication Policy in Authentication Hub to authenticate the user. See Authentication Policy
- Initiate the authentication flow. There are two ways to invoke the authentication flow:
- : As an Identity Provider, you can initiate the authentication flow to access the application by using one of the following endpoints:Identity Provider Initiated Flow
- https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login?entityId=<samlEntityId of the SP application registered>
- https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login?appId=<appId of the SP application registered>
- https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login?name=<name of the SP application registered>
- : Perform the following step:Service Provider Initiated Flow
- Navigate to
- Edit theAuthentication Configurationsection and select the Authentication HubAuthentication Service.
- ClickSave.This step will enable the Authentication Hub login page when you inititate the authentication flow as a service Provider.
- Now, you can initiate the authentication flow as a service Provider to access the application by using the following login endpoint:
. This step will result in the following outcomes:https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login- The user is authenticated based on the factors defined in the policy.
- SAML response is sent back to the service provider.