This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/providers/saml.md
2021-02-16 19:18:57 +01:00

2 KiB

title
SAML Provider

This provider allows you to integrate enterprise software using the SAML2 Protocol. It supports signed requests and uses Property Mappings to determine which fields are exposed and what values they return. This makes it possible to expose vendor-specific fields. Default fields are exposed through auto-generated Property Mappings, which are prefixed with "authentik default".

Endpoint URL
SSO (Redirect binding) /application/saml/<application slug>/sso/binding/redirect/
SSO (POST binding) /application/saml/<application slug>/sso/binding/post/
IdP-initiated login /application/saml/<application slug>/sso/binding/init/
Metadata Download /application/saml/<application slug>/metadata/

Name ID

You can select a custom SAML Property Mapping after which the NameID field will be generated. If left default, the following checks are done:

  • When the request asks for urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, the NameID will be set to the user's email address.
  • When the request asks for urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, the NameID will be set to the hashed user ID.
  • When the request asks for urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName, the NameID will be set to the user's distinguishedName attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier.
  • When the request asks for urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier.
  • When the request asks for urn:oasis:names:tc:SAML:2.0:nameid-format:transient, the NameID will be set based on the user's session ID.