SamlFederationHandler (deprecated)
This handler is deprecated; use the SamlFederationFilter instead. |
A handler to play the role of SAML 2.0 Service Provider (SP).
Consider the following requirements for SamlFederationHandler:
-
This handler does not support filtering; do not use it as the handler for a chain, which can include filters.
-
Do not use this handler when its use depends on something in the response. The response can be handled independently of PingGateway, and can be
null
when control returns to PingGateway. For example, do not use this handler in aSequenceHandler
where thepostcondition
depends on the response. -
Requests to the SamlFederationHandler must not be rebased, because the request URI must match the endpoint in the SAML metadata.
SAML in deployments with multiple instances of PingGateway
When PingGateway acts as a SAML service provider, session information is stored in the fedlet not the session cookie. In deployments with multiple instances of PingGateway as a SAML service provider, it is necessary to set up sticky sessions so that requests always hit the instance where the SAML interaction was started.
For information, refer to Session state considerations in AM’s SAML v2.0 guide.
Usage
{
"name": string,
"type": "SamlFederationHandler",
"config": {
"assertionMapping": map or configuration expression<map>,
"redirectURI": configuration expression<url>,
"secretsProvider": SecretsProvider reference,
"assertionConsumerEndpoint": configuration expression<url>,
"authnContext": configuration expression<string>,
"authnContextDelimiter": configuration expression<string>,
"logoutURI": configuration expression<url>,
"sessionIndexMapping": configuration expression<string>,
"singleLogoutEndpoint": configuration expression<url>,
"singleLogoutEndpointSoap": configuration expression<url>,
"SPinitiatedSLOEndpoint": configuration expression<url>,
"SPinitiatedSSOEndpoint": configuration expression<url>,
"useOriginalUri": configuration expression<boolean>,
"subjectMapping": configuration expression<string>
}
}
Properties
"assertionMapping"
: map or configuration expression<map>, required-
A map with the format
Map<String, String>
, where:-
Key: Session name,
localName
-
Value: SAML assertion name,
incomingName
, or a configuration expression that evaluates to the name
The following formats are allowed:
{ "assertionMapping": { "string": "configuration expression<string>", ... } }
{ "assertionMapping": "configuration expression<map>" }
In the following example, the session names
username
andpassword
are mapped to SAML assertion namesmail
andmailPassword
:{ "assertionMapping": { "username": "mail", "password": "mailPassword" } }
If an incoming SAML assertion contains the following statement:
mail = demo@example.com mailPassword = demopassword
Then the following values are set in the session:
username[0] = demo@example.com password[0] = demopassword
For this to work, edit the
<Attribute name="attributeMap">
element in the SP extended metadata file,$HOME/.openig/SAML/sp-extended.xml
, so that it matches the assertion mapping configured in the SAML 2.0 Identity Provider (IDP) metadata.Because the dot character (
.
) serves as a query separator in expressions, do not use dot characters in the localName.To prevent different handlers from overwriting each others' data, use unique localName settings when protecting multiple service providers.
-
"redirectURI"
: configuration expression<url>, required-
The page that the filter used to HTTP POST a login form recognizes as the login page for the protected application.
This is how PingGateway and the Federation component work together to provide SSO. When PingGateway detects the login page of the protected application, it redirects to the Federation component. Once the Federation handler validates the SAML exchanges with the IDP, and sets the required session attributes, it redirects back to the login page of the protected application. This allows the filter used to HTTP POST a login form to finish the job by creating a login form to post to the application based on the credentials retrieved from the session attributes.
"secretsProvider"
: SecretsProvider reference, optional-
The SecretsProvider to query for keys when AM provides signed or encrypted SAML assertions.
+ When this property isn’t set, the keys are provided by direct keystore look-ups based on entries in the SP extended metadata file,
sp-extended.xml
.+ Default: Empty.
"assertionConsumerEndpoint"
: configuration expression<string>, optional-
Default:
fedletapplication
(same as the Fedlet)If you modify this attribute, change the metadata to match.
"authnContext"
: configuration expression<string>, optional-
Name of the session field to hold the value of the authentication context. Because the dot character (
.
) serves as a query separator in expressions, do not use dot characters in the field name.Use this setting when protecting multiple service providers, as the different configurations must not map their data into the same fields of
session
. Otherwise different handlers can overwrite each others' data.As an example, if you set
"authnContext": "myAuthnContext"
, then PingGateway setssession.myAuthnContext
to the authentication context specified in the assertion. When the authentication context is password over protected transport, then this results in the session containing"myAuthnContext": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
.Default: map to
session.authnContext
"authnContextDelimiter"
: configuration expression<string>, optional-
The authentication context delimiter used when there are multiple authentication contexts in the assertion.
Default:
|
"logoutURI"
: configuration expression<string>, optional-
Set this to the URI to visit after the user is logged out of the protected application.
You only need to set this if the application uses the single logout feature of the Identity Provider.
"sessionIndexMapping"
: configuration expression<string>, optional-
Name of the session field to hold the value of the session index. Because the dot character (
.
) serves as a query separator in expressions, do not use dot characters in the field name.Use this setting when protecting multiple service providers, as the different configurations must not map their data into the same fields of
session
. Otherwise different handlers can overwrite each others' data.As an example, if you set
"sessionIndexMapping": "mySessionIndex"
, then PingGateway setssession.mySessionIndex
to the session index specified in the assertion. This results in the session containing something like"mySessionIndex": "s24ccbbffe2bfd761c32d42e1b7a9f60ea618f9801"
.Default: map to
session.sessionIndex
"singleLogoutEndpoint"
: configuration expression<string>, optional-
Default:
fedletSLORedirect
(same as the Fedlet)If you modify this attribute, change the metadata to match.
"singleLogoutEndpointSoap"
: configuration expression<string>, optional-
Default:
fedletSloSoap
(same as the Fedlet)If you modify this attribute, change the metadata to match.
"SPinitiatedSLOEndpoint"
: configuration expression<string>, optional-
Default:
SPInitiatedSLO
If you modify this attribute, change the metadata to match.
"SPinitiatedSSOEndpoint"
: configuration expression<string>, optional-
Default:
SPInitiatedSSO
If you modify this attribute, change the metadata to match.
"useOriginalUri"
: configuration expression<boolean>, optional-
When
true
, use the original URI instead of a rebased URI when validating RelayState and Assertion Consumer Location URLs. Use this property if abaseUri
decorator is used in the route or inconfig.json
.Default:
false
"subjectMapping"
: configuration expression<string>, optional-
Name of the session field to hold the value of the subject name. Because the dot character (
.
) serves as a query separator in expressions, do not use dot characters in the field name.Use this setting when protecting multiple service providers, as the different configurations must not map their data into the same fields of
session
. Otherwise different handlers can overwrite each others' data.As an example, if you set
"subjectMapping": "mySubjectName"
, then PingGateway setssession.mySubjectName
to the subject name specified in the assertion. If the subject name is an opaque identifier, then this results in the session containing something like"mySubjectName": "vtOk+APj1s9Rr4yCka6V9pGUuzuL"
.Default: map to
session.subjectName
Example
For an example of how to set up PingGateway as a SAML service provider, refer to SAML.
In the following example, PingGateway receives a SAML 2.0 assertion from the IDP, and then logs the user in to the protected application using the username and password from the assertion:
{
"name": "SamlFederationHandler",
"type": "SamlFederationHandler",
"config": {
"assertionMapping": {
"username": "mail",
"password": "mailPassword"
},
"redirectURI": "/login",
"logoutURI": "/logout"
}
}