Versions Compared

Old Version 15

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version 16

changes.mady.by.user Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

This authentication plugin supports both redirecting to configured SAML Identity Providers ( see Federations ) with generated SAML Request to ask them to authenticate a user, and it supports receiving SAML Responses from configured SAML Service Providers in order to let them request a SAML Response.

The following query/post parameters are supported for redirecting to SAML Service Providers:

  • tokentype
    Specify which token type to use, can be ws-trust, saml1 and saml2 - defaults to saml2.
  • binding
    Specify binding, can be GET, redirect or POST - SAML Requestwill be sent with HTTP GET or POST request to the Service Provider URL depending on this parameter. Defaults to POST.
  • requestid
    Optionally specify request ID to respond to. Defaults to none.
  • relayStateRelayState
    If this parameter is present in the request along with a SAML Request, it is sent back in the POST request with the SAML Response


Note
titleAdvanced usage

Normally, federation can be initiated via a SAML Request present in the POST or Query parameter "SAMLRequest", but if you receive the SAML request from other sources, you can store it in the session in a state variable called "websso.samlrequest" -if no SAML request is provided as input, the authentication plugin will look in the session for this attribute and use it if present. It will be deleted after use.


...

Default: none
JSON key: identityprovider.name 

Redirect URL

URL that the identity provider should redirect the user back to after authenticating

Default: none
JSON key: redirecturl 

Enable federation of identity to service providers

When enabled, an identified users identity can be federated to a service provider, and a serviceprovider can send a SAML request to us to ask for identity

Default: true
JSON key: federation.enabled

This
Tip
Tip

To get the name from a query parameter, specify a script like this:

Code Block
context.getQueryOrPostParam("idpname");



Info


Warning

Requires minimum Ceptor v6.4.5 - with lower versions, the passive binding is the only supported one.

When using another site as Identity Provider, and Ceptor as Service Provider to that site, the following additional query/post parameters can be specified when calling the URL that triggers this plugin:

  • binding
    Specify binding, can be passive, redirect or POST - default is passive.
  • RelayState
    If this parameter is present in the request, it is added to the request towards the Identity Provider.
  • signrequest
    For redirect/POST binding, specify if SAML request should be signed or not - default is true.
  • encryptrequest
    For redirect/POST binding, specify if SAML request should be encrypted or not - default is false.

For passive binding (which is the default), the redirect to the Identity Providers federation URL will be done, adding these query parameters: 

  • wa=wsignin1.0
  • id=passive
  • wtrealm=<identifier name>
  • wreply=<return url>
  • wct=<current timestamp>
  • RelayState=<relayState input parameter if not empty>

For the passive binding, no SAML Request will be transmitted.

for redirect / GET binding, the redirect to the Identity Providers federation URL will be done, adding the following query parameters:

  • SAMLRequest=<deflated SAML request, base64 encoded>
  • RelayState=<relayState input parameter if not empty>

Note that the SAML request will be signed/encrypted according to the query/POST input parameters signrequest and encryptrequest.

for POST binding, a form is return that autosubmits sending a POST requst to the Identity Providers federation URL with the following parameters:

  • SAMLRequest=<base64 encoded SAML request>
  • RelayState=<relayState input parameter if not empty>

Note that the SAML request will be signed/encrypted according to the query/POST input parameters signrequest and encryptrequest.


Redirect URL

URL that the identity provider should redirect the user back to after authenticating

Default: none
JSON key: redirecturl 

Enable federation of identity to service providers

When enabled, an identified users identity can be federated to a service provider, and a serviceprovider can send a SAML request to us to ask for identity

Default: true
JSON key: federation.enabled

Tip

This authentication plugin can be used both when using Ceptor as a relying party / service provider and when using Ceptor as an Identity Provider where the user is already authenticated.

When Ceptor is an Identity Provider, the plugin receives and processes a SAML Request for authentication.

...

Tip

By using a script such as

Code Block
statecontext.getQueryOrPostParam("spname");

you can allow the name to be specified on a query parameter.

...