Skip to content

SAML2 Backend

The SAML2 backend act as a SAML Service Provider (SP), making authentication requests to SAML Identity Providers (IdP).

Configuration

An example configuration for SAML2 Backend can be found here. Just like any other backend configuration, the configurations for OIDC Backend needs to be inside <customer-project>/didmos2-auth/config/backends. Moreover, just like any other configurations, it is reccommended that the credentials in the configuration are specified using !ENV ENVIRONMENT_VARIABLE_NAME. And the value of this ENVIRONMENT_VARIABLE_NAME can be defined in the .env of the compose project.

Let's have a look at the following example setup for the SAML Backend configuration:

module: satosa.backends.saml2.SAMLBackend
name: Saml2
config:
  entityid_endpoint: True
  sp_config:
    key_file: !ENV SATOSA_SAML_BE_SP_KEY_FILE
    cert_file: !ENV SATOSA_SAML_BE_SP_CERT_FILE
    metadata:
      remote:
        - url: 'https://login.microsoftonline.com/7bf9f96e-3df2-4608-9248-64bacfd2f09d/federationmetadata/2007-06/federationmetadata.xml?appid=dac7323c-7613-48ac-82e7-3ff4b8a4f03a'
    entityid: <base_url>/<name>/proxy_saml2_backend.xml
    accepted_time_diff: 60
    service:
      sp:
        ui_info:
          display_name:
            - lang: en
              text: !ENV AUTH_HOSTNAME
          description:
            - lang: en
              text: !ENV AUTH_HOSTNAME
        want_response_signed: false
        allow_unsolicited: true
        endpoints:
          assertion_consumer_service:
          - [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']
        name_id_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'

The SATOSA_SAML_BE_SP_KEY_FILE and similarly all the other environment variables can then be defined in either the docker-compose or the .env file.

Activating the SAML2 Backend

The activation of the SAML2 backend, in fact all the backends works in the same way as that defined in the Activating the OIDC Backend section. Therefore, please refer to the Activating the OIDC Backend section to get to know more about activating the SAML2 Backend.

Duplicating SAML2 backend with different configurations for additional IdPs

Please also note that multiple SAML2 backends can be added, each having a different configuration to connect with different IdPs. The development steps required to duplicate a backend are same as that defined in the Duplicating OIDC backend with different configurations for additional OPs section. Therefore, please refer to that section in order to have muliple SAML2 backends.