wiki/server/modules/authentication/saml/definition.yml

key: saml
title: SAML 2.0
description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.
author: requarks.io
logo: https://static.requarks.io/logo/saml.svg
color: red darken-3
website: https://wiki.oasis-open.org/security/FrontPage
isAvailable: true
useForm: false
props:
  entryPoint:
    type: String
    title: Entry Point
    hint: Identity provider entrypoint (URL)
    order: 1
  issuer:
    type: String
    title: Issuer
    hint: Issuer string to supply to Identity Provider
    order: 2
  audience:
    type: String
    title: Audience
    hint: (Optional) - Expected SAML response Audience (if not provided, Audience won't be verified)
    order: 3
  cert:
    type: String
    title: Certificate
    hint: (Optional) - Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
    multiline: true
    order: 4
  privateCert:
    type: String
    title: Private Certificate
    hint: (Optional) - PEM formatted key used to sign the certificate.
    multiline: true
    order: 5
  decryptionPvk:
    type: String
    title: Decryption Private Key
    hint: (Optional) - Private key that will be used to attempt to decrypt any encrypted assertions that are received.
    multiline: true
    order: 6
  signatureAlgorithm:
    type: String
    title: Signature Algorithm
    hint: Signature algorithm used for signing requests
    order: 7
    default: sha1
    enum:
      - sha1
      - sha256
      - sha512
  identifierFormat:
    type: String
    title: Name Identifier format
    default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
    order: 8
  acceptedClockSkewMs:
    type: Number
    title: Accepted Clock Skew Milleseconds
    hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
    default: -1
    order: 9
  disableRequestedAuthnContext:
    type: Boolean
    title: Disable Requested Auth Context
    hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
    default: false
    order: 10
  authnContext:
    type: String
    title: Auth Context
    hint: Name identifier format to request auth context.
    default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    order: 11
  forceAuthn:
    type: Boolean
    title: Force Initial Re-authentication
    hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
    default: false
    order: 12
  providerName:
    type: String
    title: Provider Name
    hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
    default: wiki.js
    order: 13
  skipRequestCompression:
    type: Boolean
    title: Skip Request Compression
    hint: If enabled, the SAML request from the service provider won't be compressed.
    default: false
    order: 14
  authnRequestBinding:
    type: String
    title: Request Binding
    hint: Binding used for request authentication from IDP.
    order: 15
    default: 'HTTP-POST'
    enum:
      - HTTP-Redirect
      - HTTP-POST
  mappingUID:
    title: Unique ID Field Mapping
    type: String
    default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
    hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string.
    order: 16
  mappingEmail:
    title: Email Field Mapping
    type: String
    default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
    hint: The field storing the user email. Can be a variable name or a URI-formatted string.
    order: 17
  mappingDisplayName:
    title: Display Name Field Mapping
    type: String
    default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
    hint: The field storing the user display name. Can be a variable name or a URI-formatted string.
    order: 18
  mappingPicture:
    title: Avatar Picture Field Mapping
    type: String
    default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
    hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
    order: 19
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`key: saml`
			`title: SAML 2.0`
			`description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.`
			`author: requarks.io`
			`logo: https://static.requarks.io/logo/saml.svg`
feat: auth jwt, permissions, login ui (wip) 6 years ago			`color: red darken-3`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`website: https://wiki.oasis-open.org/security/FrontPage`
feat: SAML auth module 6 years ago			`isAvailable: true`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`useForm: false`
			`props:`
			`entryPoint:`
			`type: String`
			`title: Entry Point`
			`hint: Identity provider entrypoint (URL)`
feat: SAML auth module 6 years ago			`order: 1`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`issuer:`
			`type: String`
			`title: Issuer`
			`hint: Issuer string to supply to Identity Provider`
feat: SAML auth module 6 years ago			`order: 2`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`audience:`
			`type: String`
			`title: Audience`
feat: SAML auth module 6 years ago			`hint: (Optional) - Expected SAML response Audience (if not provided, Audience won't be verified)`
			`order: 3`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`cert:`
			`type: String`
			`title: Certificate`
feat: SAML auth module 6 years ago			`hint: (Optional) - Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the \| pipe symbol.`
fix: git private key alt paste mode 5 years ago			`multiline: true`
feat: SAML auth module 6 years ago			`order: 4`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`privateCert:`
			`type: String`
			`title: Private Certificate`
feat: SAML auth module 6 years ago			`hint: (Optional) - PEM formatted key used to sign the certificate.`
fix: git private key alt paste mode 5 years ago			`multiline: true`
feat: SAML auth module 6 years ago			`order: 5`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`decryptionPvk:`
			`type: String`
			`title: Decryption Private Key`
feat: SAML auth module 6 years ago			`hint: (Optional) - Private key that will be used to attempt to decrypt any encrypted assertions that are received.`
fix: git private key alt paste mode 5 years ago			`multiline: true`
feat: SAML auth module 6 years ago			`order: 6`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`signatureAlgorithm:`
			`type: String`
			`title: Signature Algorithm`
			`hint: Signature algorithm used for signing requests`
feat: SAML auth module 6 years ago			`order: 7`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`default: sha1`
			`enum:`
			`- sha1`
			`- sha256`
			`- sha512`
			`identifierFormat:`
			`type: String`
			`title: Name Identifier format`
			`default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'`
feat: SAML auth module 6 years ago			`order: 8`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`acceptedClockSkewMs:`
			`type: Number`
			`title: Accepted Clock Skew Milleseconds`
			`hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.`
feat: SAML auth module 6 years ago			`default: -1`
			`order: 9`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`disableRequestedAuthnContext:`
			`type: Boolean`
			`title: Disable Requested Auth Context`
			`hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.`
			`default: false`
feat: SAML auth module 6 years ago			`order: 10`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`authnContext:`
			`type: String`
			`title: Auth Context`
			`hint: Name identifier format to request auth context.`
			`default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport`
feat: SAML auth module 6 years ago			`order: 11`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`forceAuthn:`
			`type: Boolean`
			`title: Force Initial Re-authentication`
			`hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.`
			`default: false`
feat: SAML auth module 6 years ago			`order: 12`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`providerName:`
			`type: String`
			`title: Provider Name`
			`hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.`
			`default: wiki.js`
feat: SAML auth module 6 years ago			`order: 13`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`skipRequestCompression:`
			`type: Boolean`
			`title: Skip Request Compression`
			`hint: If enabled, the SAML request from the service provider won't be compressed.`
			`default: false`
feat: SAML auth module 6 years ago			`order: 14`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`authnRequestBinding:`
			`type: String`
			`title: Request Binding`
			`hint: Binding used for request authentication from IDP.`
feat: SAML auth module 6 years ago			`order: 15`
			`default: 'HTTP-POST'`
feat: admin UI fixes + SAML strategy + dashboard gql 6 years ago			`enum:`
			`- HTTP-Redirect`
			`- HTTP-POST`
feat: SAML auth module 6 years ago			`mappingUID:`
			`title: Unique ID Field Mapping`
			`type: String`
			`default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'`
			`hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string.`
			`order: 16`
			`mappingEmail:`
			`title: Email Field Mapping`
			`type: String`
			`default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'`
			`hint: The field storing the user email. Can be a variable name or a URI-formatted string.`
			`order: 17`
			`mappingDisplayName:`
			`title: Display Name Field Mapping`
			`type: String`
			`default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'`
			`hint: The field storing the user display name. Can be a variable name or a URI-formatted string.`
			`order: 18`
			`mappingPicture:`
			`title: Avatar Picture Field Mapping`
			`type: String`
			`default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'`
			`hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string.`
			`order: 19`