SAML login with social identity provider¶
Onegini IdP has the possibility to 'force' users to log in with a specific identity provider. By providing a specific authentication context based on the IdP alias. An example: urn:com:onegini:saml:idp-alias:<ENTER-IDP-ALIAS-HERE>
. The IdP alias is specified during IdP creation and cannot be changed afterwards.
If an unsupported or disabled IdP is provided in the authentication context, the response will contain the authentication context status (NoAuthnContext
).
For backwards compatibility, we keep supporting the old way to specify the authentication context, based on the IdP type. Example: urn:com:onegini:saml:idp-alias:<ENTER-IDP-TYPE-HERE>
. But for multiple IdPs with the same type it is ambiguous and therefore should not be used anymore.
We support identity providers with few exceptions:
Name | Identifier |
---|---|
SAML | saml |
LDAP | ldap |
Authentication context exceptions
The SAML specification has built in authentication contexts for password
and kerberos
. For these two you can use custom context (urn:com:onegini:saml:idp:<ENTER-IDP-TYPE-HERE>
) or specified (urn:oasis:names:tc:SAML:2.0:ac:classes:Password
and urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
).
Example SAML authentication request to login with facebook:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://serviceprovider/saml/SSO"
Destination="http://idp.dev.onegini.me/saml/single-sign-on" ForceAuthn="false"
ID="aggbe3b490a74eb5baifcj4c1455d4" IsPassive="false" IssueInstant="2017-05-24T08:02:36.414Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">service:provider:entity:id</saml2:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:idp:facebook</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>