Each Service Provider that interacts with the SAML IDP Service must be configured with specific settings to ensure proper communication and security. The following sections outline the key configuration aspects for Service Providers:
Note
Service Providers are currently only stored in configuration. Upcoming versions of the Curity Identity Server will support database storage for Service Providers.
A Service Provider has an id that is used as the EntityId by which is then used to recognize (inbound) SAML messages.
The Assertion Consumer Services (ACS) are the endpoints where the SAML IDP Service sends SAML assertions (i.e. SAML Response messages). Each ACS is defined by a URL and a binding type. The binding type indicates how the SAML response will be sent to the Service Provider, such as HTTP POST or HTTP Redirect. An ACS also has an index, that can be used by a Service Provider in an authentication request to indicate where the response is to be delivered.
Whenever an assertion is issued, there are some options that control how this is done. These options are:
The attribute configuration for a Service Provider defines which attributes are included in the SAML assertions sent to that Service Provider. The attributes can be established during user authentication or resolved by the SAML IDP Service when the assertion is issued.
The configuration allows you to select both attribute groups, as well as individual attributes. When an attribute group is selected, all the attributes of that group are included in the assertion. Individual attributes can also be selected, allowing for fine-grained control over which attributes are included.
When an attribute is selected based on it being part of one or more group or groups, or because it was selected individually, it will never be included more than once in the assertion. The attribute group is purely for helping to manage attributes.
When the authentication request requires user authentication, there are some settings that control how this is done for requests from this Service Provider. These settings relate to how Single Sign On works (e.g. whether to always force authentication or rely on previous authentication), and how the user is authenticated (e.g. which authenticators of the referenced Authentication service are to be used).