key: saml title: SAML 2.0 description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains. author: requarks.io logo: https://static.requarks.io/logo/saml.svg color: red darken-3 website: https://wiki.oasis-open.org/security/FrontPage isAvailable: true useForm: false props: entryPoint: type: String title: Entry Point hint: Identity provider entrypoint (URL) order: 1 issuer: type: String title: Issuer hint: Issuer string to supply to Identity Provider order: 2 audience: type: String title: Audience hint: Expected SAML response Audience (if not provided, audience won't be verified) order: 3 cert: type: String title: Certificate hint: Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol. multiline: true order: 4 privateKey: type: String title: Private Key hint: PEM formatted key used to sign the certificate. multiline: true order: 5 decryptionPvk: type: String title: Decryption Private Key hint: (Optional) - Private key that will be used to attempt to decrypt any encrypted assertions that are received. multiline: true order: 6 signatureAlgorithm: type: String title: Signature Algorithm hint: Signature algorithm used for signing requests maxWidth: 400 order: 7 default: sha1 enum: - sha1 - sha256 - sha512 digestAlgorithm: type: String title: Digest Algorithm hint: Digest algorithm used to provide a digest for the signed data object maxWidth: 400 order: 8 default: sha1 enum: - sha1 - sha256 - sha512 identifierFormat: type: String title: Name Identifier format default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' order: 20 wantAssertionsSigned: type: Boolean title: Always sign assertions hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions. default: false order: 21 acceptedClockSkewMs: type: Number title: Accepted Clock Skew Milleseconds hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely. default: 0 order: 22 disableRequestedAuthnContext: type: Boolean title: Disable Requested Auth Context hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers. default: false order: 23 authnContext: type: String title: Auth Context hint: Name identifier format to request auth context. For multiple values, join them together using the | pipe symbol. default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport order: 24 racComparison: type: String title: RAC Comparison Type hint: Requested Authentication Context comparison type. maxWidth: 400 order: 25 default: exact enum: - exact - minimum - maximum - better forceAuthn: type: Boolean title: Force Initial Re-authentication hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session. default: false order: 26 passive: type: Boolean title: Passive hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction. default: false order: 27 providerName: type: String title: Provider Name hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider. default: wiki.js order: 28 skipRequestCompression: type: Boolean title: Skip Request Compression hint: If enabled, the SAML request from the service provider won't be compressed. default: false order: 29 authnRequestBinding: type: String title: Request Binding hint: Binding used for request authentication from IDP. maxWidth: 400 order: 30 default: 'HTTP-POST' enum: - HTTP-Redirect - HTTP-POST mappingUID: title: Unique ID Field Mapping type: String default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string. order: 40 mappingEmail: title: Email Field Mapping type: String default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' hint: The field storing the user email. Can be a variable name or a URI-formatted string. order: 41 mappingDisplayName: title: Display Name Field Mapping type: String default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' hint: The field storing the user display name. Can be a variable name or a URI-formatted string. order: 42 mappingPicture: title: Avatar Picture Field Mapping type: String default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture' hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string. order: 43 mapGroups: type: Boolean title: Map Groups hint: Map groups matching names from the provider user groups. User Groups Field Mapping must also be defined for this to work. Note this will remove any groups the user has that doesn't match any group from the provider. default: false order: 44 mappingGroups: title: User Groups Field Mapping type: String default: 'memberOf' hint: The field storing the user groups attribute (when Map Groups is enabled). Can be a variable name or a URI-formatted string. order: 45