To use SAML as Identity Provider in the Curity Identity Server, you must create a SAML IDP Profile. The following settings must be configured:
user-authentication
service-providers`
metadata
endpoints
attributes
assertions
The SAML IDP Service will always authenticate a user when answering an authentication request, so before actually creating a SAML IDP profile, make sure that you have configured an Authentication profile that is used by the SAML IDP Service to fulfill the user authentication requirement.
It is also recommended to consider which attributes are to be included in the assertions that are issued by the SAML IDP Service. The attributes can be established during user authentication or resolved by the SAML IDP Service when the assertion is issued. The attributes that are included in assertions are configured in the SAML IDP profile
By default, the SAML IDP Service uses the location of the IDP’s metadata as its EntityId. This is regardless of whether the metadata for the profile is enabled.
In case the default EntityId is not suitable, it can be overridden by setting the issuer-override configuration option in the SAML IDP profile. This allows you to specify a custom EntityId that is used to identify the SAML IDP Service in SAML messages.
issuer-override
A SAML entity that requests authentication from the SAML IDP Service is referred to as a SAML Service Provider. The SAML IDP Service can interact with multiple SAML Service Providers, and each Service Provider can have its own configuration, such as the EntityId, assertion consumer services, and supported bindings.
The SAML IDP Service currently supports one endpoint, the Single Sign-On (SSO) endpoint. This endpoint is used to handle authentication requests from SAML Service Providers conforming to the SAML Web SSO profile. The SSO endpoint is responsible for receiving authentication requests, authenticating users, and issuing assertions in the response.
Part of the Single Sign-On endpoint is serving the SAML IDP Service’s metadata, which can be used by SAML Service Providers to discover the SAML IDP Service and to configure their interactions with it. The metadata includes information about the SAML IDP Service, such as its endpoints, supported bindings, and public keys for signature verification.
The response to an authentication request from a SAML Service Provider contains a SAML assertion. This assertion contains information about the authenticated user and can include attributes that are relevant to the Service Provider.
By default, no metadata is published by the SAML IDP Service. However, you can enable metadata publication in the SAML IDP profile. When enabled, the metadata is published at the SSO endpoint with /metadata appended to the path, and it can be used by SAML Service Providers to discover the SAML IDP Service and to configure their interactions with it.
/metadata
For example, if the Curity instance is hosted at https://idp.example.com, and the SSO endpoint is deployed at /idp/sso, then the metadata (when enabled) is published at https://idp.example.com/idp/sso/metadata.
https://idp.example.com
/idp/sso
https://idp.example.com/idp/sso/metadata
Note
Notice that the default EntityId in this case is https://idp.example.com/idp/sso/metadata.