The SAML federation filter works like other SSO type filters, a request that passes through the SAML federation
filter, that does not trigger the logout expression or matches one of the SAML endpoints, will be checked for a
valid session. If there is a valid session, the request will pass to the next handler. If the session is not valid,
the default SP initiated SSO processing will be triggered.
{
"type": "SamlFederationFilter",
"config": {
"redirectURI: : string [REQUIRED - the URI to use after IDP initiated SSO processing
has been completed and either no {@code RelayState}
has been specified or no {@code defaultRelayState}
value has been set in the SP extended metadata.]
"assertionMapping" : map, [REQUIRED - instance of Map<String, String>, used to map
attributes provided in the {@code Assertion} to
attribute names when set into the {@code Session}.
No attributes are mapped by default.]
"subjectMapping" : string [OPTIONAL - used to map the {@code Assertion} {@code Subject}
into the {@code Session}. Defaults to
'subjectMapping' if not specified.]
"sessionIndexMapping" : string [OPTIONAL - used to map the {@code Assertion}
{@code SessionIndex} value into the
{@code Session}. Defaults to 'sessionIndexMapping'
if not specified.]
"authnContext" : string [OPTIONAL - used to map the {@code Assertion}
authentication context values into the
{@code Session}. Defaults to 'authnContext'
if not specified.]
"authnContextDelimiter" : string [OPTIONAL - used as the delimiter when there are multiple
authentication context. Defaults to '|' if not
specified.]
"assertionConsumerEndpoint" : string [OPTIONAL - used as part of the URI that designates the
assertion consumer endpoint as defined in the SPs
metadata shared with the IDP. Defaults to
'fedletapplication' if not specified.]
"SPinitiatedSSOEndpoint" : string [OPTIONAL - used as part of the URI that designates the
SP initiated SSO endpoint. Defaults to
'SPInitiatedSSO' if not specified.]
"SPinitiatedSLOEndpoint" : string [OPTIONAL - used as part of the URI that designates the
SP initiated SLO endpoint. Defaults to
'SPInitiatedSLO' if not specified.]
"singleLogoutEndpoint" : string [OPTIONAL - used as part of the URI that designates the
SP SLO endpoint as defined in the SPs
metadata shared with the IDP. Defaults to
'fedletSloRedirect' if not specified.]
"singleLogoutEndpointSoap" : string [OPTIONAL - used as part of the URI that designates the
SP SLO SOAP endpoint as defined in the SPs
metadata shared with the IDP. Defaults to
'fedletSloSoap' if not specified.]
"useOriginalUri" : boolean [OPTIONAL - when set to true, specifies that the originalUri
is used in preference to the request URI when
validating the various SAML URIs. Defaults to
'true' if not specified.]
"redirectionMarker": { : [OPTIONAL - Configure the redirectionMarker, added by default
without having to specify this configuration item.]
"enabled" : Boolean [OPTIONAL - if true, the redirection marker will be used to
protect against infinite authentication loops.
Defaults to true.]
"name" : String [OPTIONAL - The name of the redirectionMarker query parameter
to use when the redirectionMarker is enabled.
Defaults to "_ig".]
}
"logoutExpression" : booleanExpression [OPTIONAL - a boolean expression that if it evaluates to
true, will trigger a SP initiated SLO.]
"logoutURI" : string [OPTIONAL - URI to redirect to after a successful logout,
the original URI will be used when not specified.]
"secretsProvider" : SecretsProvider [OPTIONAL - secrets provider used to obtain secrets.
REQUIRED if 'SecretsSaml2CredentialResolver'
is used.]
"spEntityId" : string [OPTIONAL - the SP Entity ID that this SP represents, required
when there is more than one SP defined in the
SAML metadata to avoid the incorrect SP being
selected by default.]
"failureHandler" : Handler [OPTIONAL - A failure handler to be invoked when there is an
error during SAML processing. Defaults to
{@code SamlSupport.defaultFailureHandler()}.]
}
}