SAML Identity Provider¶
The Onegini IdP can serve as a SAML Service Provider allowing the user to authenticate against external SAML IdP. At the same time user data returned within SAML AuthnResponse can be parsed and a new user account can be created within Onegini IdP. This chapter will guide you though all steps that are required to fully configure and use an external SAML IdP with Onegini IdP.
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IdP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
- Onegini IdP must have the Username & password identity provider configured
- External IdP (Identity Provider of SAML type) must be running externally from Onegini IdP
Configure Onegini IdP as a Service Provider in external IdP¶
In order to allow communication over SAML protocol between Onegini IdP and external IdP both parties need to exchange their metadata. Go to http://idp-core.dev.onegini.me:8080/saml/metadata page (where idp-core.dev.onegini.me:8080 to your instance of Onegini IdP) to obtain SP's metadata. Visit your external IdP configuration page and register a new Service Provider instance and provide the metadata you have just fetched.
Configure external SAML IdP in Onegini IdP¶
To register an external SAML IdP within the Onegini IdP as an Identity Provider first you need to obtain it's metadata. Check your external IdP's documentation to see where it's located. Next visit the http://idp-core.dev.onegini.me:8082/admin page and login to Onegini IdP admin console. Select Config menu option and navigate to Identity Providers tab. Hit the + button to create a new Identity Provider configuration. Fill in the form as follows:
- Type - open the dropdown list and select SAML
- Name - name your external IdP instance
- Authentication Level - choose an authentication level
- Enabled - mark your Identity Provider as enabled
- IDP-Metadata - paste your Identity Provider metadata
At this stage you can save your configuration and skip to Testing or proceed the next chapter to define attribute mappings.
Configure SAML signing and encryption keys¶
Please refer to Configure SAML Keys chapter to get to know how to configure and manage SAML keys.
As you already noticed the Onegini IdP within the configuration form also gives option to define attribute mappings. It's a very useful functionality which let's you define "translations" for user's SAML and custom attributes. To get more info about attribute mappings please see Attribute Mappings topic guide.
You can allow users to seamlessly register within Onegini IdP when they are logging in with an external SAML IdP. However there are some prerequisites:
- Just-in-time external IdP sign-up enabled feature needs to be enabled (can be found in Config > Feature management tab)
- Attribute mappings need to be defined for all mandatory user attributes. By default the Onegini IdP requires email address, phone number, first and last name attributes to be present. You can change required attributes via admin console under Config > Attributes tab.
With this configuration the user shouldn't see the sign-up form when they login to Onegini IdP via external SAML IdP.
An optional element passed in the Authorization request is
NameIDPolicy. Onegini IdP is allowing the desired
NameIDFormat to be set. It specifies
a format of the NameID returned by an IdP. The default value is
If there is a need not to send the
NameIDPolicy element, then it can be turned off by choosing the
In such case IdP will choose a format of the NameID.
Changing this value could potentially cause existing accounts, that are registered using this IdP or that are coupled with this IdP, to become non-functional as the NameID is used as an identifier.
To ensure the external IdP has been configured correctly you should test whether Onegini IdP allows you to login with the external SAML IdP. Please visit the Onegini IdP login page at http://idp-core.dev.onegini.me:8080 and click the SAML IdentityProvider icon below login form. If you cannot see the login form please ensure that beside of the newly created external SAML IdP you have also an instance of Username & password IdP configured. You should be redirected to your external IdP and prompted for authentication. Once you log in successfully you will be redirected back to the Onegini IdP's sign-up page (in case Just-in-time external IdP sign-up enabled is not configured) or home page.