This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

FieldDescriptionSample value
Enable SAML2 Web SSOSelecting this option enables SAML2 Web SSO to be used as an authenticator for users provisioned to the Identity Server.Selected
DefaultSelecting the Default checkbox signifies that SAML2 Web SSO is the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators.Selected
Identity Provider Entity IdThis is basically the <Issuer> value of the SAML2 response from the identity provider you are configuring. This value must be a unique string among identity providers inside the same tenant. This information should be taken from the external Identity provider.https://idp.example.org/idp/shibboleth
Service Provider Entity Id

This is the entity ID of the Identity Server. This can be any value but when you configure a service provider in the external IDP you should give the same value as the Service Provider Entity Id.

wso2is
SSO URLThis is the URL that you want to send the SAML request to. This information should be taken from the external Identity provider.

https://localhost:8443/idp/profile/SAML2/Redirect/SSO

Enable Authentication Request SigningSelecting this checkbox enables you to sign the authentication request. If this is enabled, you must sign the request using the private key of the identity provider.Selected
Enable Assertion EncryptionThis is a security feature where you can encrypt the SAML2 Assertions returned after authentication. So basically, the response must be encrypted when this is enabled.Selected
Enable Assertion Signing

Select Enable Assertion Signing to sign the SAML2 Assertions returned after the authentication. SAML2 relying party components expect these assertions to be signed by the Identity Server.

Selected
Enable LogoutSelect Enable Single Logout so that all sessions are terminated once the user signs out from one server.Selected
Logout URL
If the external IDP support for logout you can select Enable Logout. Then you can set the URL of the external IDP, where you need to send the logout request, under Logout URL. If you do not set a value for this it will simply return to the SSO URL.
https://localhost:8443/idp/samlsso/logout
Enable Logout Request SigningSelecting this checkbox enables you to sign the logout request.Selected
Enable Authentication Response Signing

Select Enable Authentication Response Signing to sign the SAML2 responses returned after the authentication.

Selected
Signature Algorithm

Specifies the SignatureMethod algorithm to be used in the Signature element for POST binding and SigAlg HTTP Parameter for REDIRECT binding. The expandable Signature Algorithms table that is given below lists the usable algorithms and their respective URIs that can be sent in the actual SAML request.

Default value is RSA with SHA1.
Digest Algorithm

Specifies the DigestMethod algorithm to be used in the Signature element for POST binding. The Digest Algorithms table that is given below lists the usable algorithms and their respective URIs that can be sent in the actual SAML request.

Default value is SHA1.
Attribute Consuming Service IndexSpecifies the AttributeConsumingServiceIndex attribute.By default, this field is empty. Therefore, this attribute is not sent with the request unless a value is defined.
Enable Force AuthenticationEnable force authentication or decide if force authentication needs to be enabled as per the request.
This affects the ForceAuthn attribute.
Default value is As Per Request.
Include Public CertificateIncludes the public certificate in the request.Selected by default.
Include Protocol BindingIncludes the ProtocolBinding attribute in the request.Selected by default.
Include NameID PolicyIncludes the NameIDPolicy element in the request. Selected by default.
Include Authentication ContextIncludes a new RequestedAuthnContext element in the request, or reuses the context that is sent via the request.Default value is Yes.
Authentication Context Class

Choose an Authentication Context Class Reference (AuthnContextClassRef) to be included in the requested authentication context from the Identity Server, which specifies the authentication context requirements of authentication statements returned in the response. The Authentication Context Class table below lists the usable classes and their respective URIs that can be sent in the SAML  request   from the Identity Server to trusted IdP.

Default value is PasswordProtectedTransport.
Authentication Context Comparison Level

Choose the Requested Authentication Context ‘Comparison’ attribute to be sent which specifies the comparison method used to evaluate the requested context classes or statements.

  • If Comparison is set to exact or omitted, the resulting authentication context in the authentication statement MUST be the exact match of at least one of the authentication contexts specified.
  • If Comparison is set to minimum, then the resulting authentication context in the authentication statement MUST be at least as strong (as deemed by the responder) as one of the authentication contexts specified.
  • If Comparison is set to better, then the resulting authentication context in the authentication statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts specified.
  • If Comparison is set to maximum, then the resulting authentication context in the authentication statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
 Default value is Exact.
SAML2 Web SSO User Id LocationSelect whether the User ID is found in the Name Identifier or if it is found among claims. If the user ID is found among the claims, it can override the User ID Claim URI configuration in the identity provider claim mapping section.User ID found among claims.
HTTP BindingSelect the HTTP binding details that are relevant for your scenario. This refers to how the request is sent to the identity provider. HTTP-Redirect and HTTP-POST are standard means of sending the request. If you select As Per Request, it can handle any type of request.HTTP-POST

Anchor
Query Parameter
Query Parameter
Additional Query Parameters

This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by WSO2 IS or application. Those values can be specified here so that they can be sent along with the SAML request.

Info

If you want to send query parameters that need to be updated dynamically with each SAML request, you need to make sure WSO2 IS 5.3.0 is WUM updated until 2018-01-15 or beyond. The dynamic value needs to be defined within parenthesis.This value should be the key of the query parameter sent in the SAML request URL.
Example: locale={lang}

Multiple parameters can be defined by separation of query parameters using the & character.

Example: locale={lang}$scope&scope=openid email profile
paramName1=value1

...