key : saml
title : SAML 2.0
description : Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.
author : requarks.io
logo : https://static.requarks.io/logo/saml.svg
color : red darken-3
website : https://wiki.oasis-open.org/security/FrontPage
isAvailable : true
useForm : false
props :
entryPoint :
type : String
title : Entry Point
hint : Identity provider entrypoint (URL)
order : 1
issuer :
type : String
title : Issuer
hint : Issuer string to supply to Identity Provider
order : 2
audience :
type : String
title : Audience
hint : Expected SAML response Audience (if not provided, audience won't be verified)
order : 3
cert :
type : String
title : Certificate
hint : Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
multiline : true
order : 4
privateKey :
type : String
title : Private Key
hint : PEM formatted key used to sign the certificate.
multiline : true
order : 5
decryptionPvk :
type : String
title : Decryption Private Key
hint : (Optional) - Private key that will be used to attempt to decrypt any encrypted assertions that are received.
multiline : true
order : 6
signatureAlgorithm :
type : String
title : Signature Algorithm
hint : Signature algorithm used for signing requests
maxWidth : 400
order : 7
default : sha1
enum :
- sha1
- sha256
- sha512
digestAlgorithm :
type : String
title : Digest Algorithm
hint : Digest algorithm used to provide a digest for the signed data object
maxWidth : 400
order : 8
default : sha1
enum :
- sha1
- sha256
- sha512
identifierFormat :
type : String
title : Name Identifier format
default : 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
order : 20
wantAssertionsSigned :
type : Boolean
title : Always sign assertions
hint : If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions.
default : false
order : 21
acceptedClockSkewMs :
type : Number
title : Accepted Clock Skew Milleseconds
hint : Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
default : 0
order : 22
disableRequestedAuthnContext :
type : Boolean
title : Disable Requested Auth Context
hint : If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
default : false
order : 23
authnContext :
type : String
title : Auth Context
hint : Name identifier format to request auth context. For multiple values, join them together using the | pipe symbol.
default : urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
order : 24
racComparison :
type : String
title : RAC Comparison Type
hint : Requested Authentication Context comparison type.
maxWidth : 400
order : 25
default : exact
enum :
- exact
- minimum
- maximum
- better
forceAuthn :
type : Boolean
title : Force Initial Re-authentication
hint : If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
default : false
order : 26
passive :
type : Boolean
title : Passive
hint : If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction.
default : false
order : 27
providerName :
type : String
title : Provider Name
hint : Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
default : wiki.js
order : 28
skipRequestCompression :
type : Boolean
title : Skip Request Compression
hint : If enabled, the SAML request from the service provider won't be compressed.
default : false
order : 29
authnRequestBinding :
type : String
title : Request Binding
hint : Binding used for request authentication from IDP.
maxWidth : 400
order : 30
default : 'HTTP-POST'
enum :
- HTTP-Redirect
- HTTP-POST
mappingUID :
title : Unique ID Field Mapping
type : String
default : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
hint : The field storing the user unique identifier. Can be a variable name or a URI-formatted string.
order : 40
mappingEmail :
title : Email Field Mapping
type : String
default : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
hint : The field storing the user email. Can be a variable name or a URI-formatted string.
order : 41
mappingDisplayName :
title : Display Name Field Mapping
type : String
default : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'
hint : The field storing the user display name. Can be a variable name or a URI-formatted string.
order : 42
mappingPicture :
title : Avatar Picture Field Mapping
type : String
default : 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture'
hint : The field storing the user avatar picture. Can be a variable name or a URI-formatted string.
order : 43
mapGroups :
type : Boolean
title : Map Groups
hint : Map groups matching names from the provider user groups. User Groups Field Mapping must also be defined for this to work. Note this will remove any groups the user has that doesn't match any group from the provider.
default : false
order : 44
mappingGroups :
title : User Groups Field Mapping
type : String
default : 'memberOf'
hint : The field storing the user groups attribute (when Map Groups is enabled). Can be a variable name or a URI-formatted string.
order : 45