key: saml
title: SAML 2.0
description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.
author: requarks.io
logo: https://static.requarks.io/logo/saml.svg
website: https://wiki.oasis-open.org/security/FrontPage
useForm: false
props:
  entryPoint:
    type: String
    title: Entry Point
    hint: Identity provider entrypoint (URL)
  issuer:
    type: String
    title: Issuer
    hint: Issuer string to supply to Identity Provider
  audience:
    type: String
    title: Audience
    hint: Expected SAML response Audience (if not provided, Audience won't be verified)
  cert:
    type: String
    title: Certificate
    hint: Public PEM-encoded X.509 signing certificate contents in base64 (e.g. 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='). If the provider has multiple certificates that are valid, join them together using the | pipe symbol.
  privateCert:
    type: String
    title: Private Certificate
    hint: PEM formatted key used to sign the certificate.
  decryptionPvk:
    type: String
    title: Decryption Private Key
    hint: (optional) Private key that will be used to attempt to decrypt any encrypted assertions that are received.
  signatureAlgorithm:
    type: String
    title: Signature Algorithm
    hint: Signature algorithm used for signing requests
    default: sha1
    enum:
      - sha1
      - sha256
      - sha512
  identifierFormat:
    type: String
    title: Name Identifier format
    default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
  acceptedClockSkewMs:
    type: Number
    title: Accepted Clock Skew Milleseconds
    hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely.
    default: 0
  disableRequestedAuthnContext:
    type: Boolean
    title: Disable Requested Auth Context
    hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
    default: false
  authnContext:
    type: String
    title: Auth Context
    hint: Name identifier format to request auth context.
    default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  forceAuthn:
    type: Boolean
    title: Force Initial Re-authentication
    hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.
    default: false
  providerName:
    type: String
    title: Provider Name
    hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider.
    default: wiki.js
  skipRequestCompression:
    type: Boolean
    title: Skip Request Compression
    hint: If enabled, the SAML request from the service provider won't be compressed.
    default: false
  authnRequestBinding:
    type: String
    title: Request Binding
    hint: Binding used for request authentication from IDP.
    default: 'HTTP-Redirect'
    enum:
      - HTTP-Redirect
      - HTTP-POST