key: saml title: SAML 2.0 description: Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains. author: requarks.io logo: https://static.requarks.io/logo/saml.svg icon: /_assets/icons/ultraviolet-saml.svg color: red darken-3 website: https://wiki.oasis-open.org/security/FrontPage isAvailable: true useForm: false props: entryPoint: type: String title: Entry Point hint: Identity provider entrypoint (URL) order: 1 issuer: type: String title: Issuer hint: Issuer string to supply to Identity Provider order: 2 audience: type: String title: Audience hint: Expected SAML response Audience (if not provided, audience won't be verified) order: 3 cert: type: String title: Certificate hint: Public PEM-encoded X.509 signing certificate. If the provider has multiple certificates that are valid, join them together using the | pipe symbol. multiline: true order: 4 privateKey: type: String title: Private Key hint: PEM formatted key used to sign the certificate. multiline: true order: 5 decryptionPvk: type: String title: Decryption Private Key hint: (Optional) - Private key that will be used to attempt to decrypt any encrypted assertions that are received. multiline: true order: 6 signatureAlgorithm: type: String title: Signature Algorithm hint: Signature algorithm used for signing requests maxWidth: 400 order: 7 default: sha1 enum: - sha1 - sha256 - sha512 digestAlgorithm: type: String title: Digest Algorithm hint: Digest algorithm used to provide a digest for the signed data object maxWidth: 400 order: 8 default: sha1 enum: - sha1 - sha256 - sha512 identifierFormat: type: String title: Name Identifier format default: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' order: 20 wantAssertionsSigned: type: Boolean title: Always sign assertions hint: If enabled, add WantAssertionsSigned="true" to the metadata, to specify that the IdP should always sign the assertions. default: false order: 21 acceptedClockSkewMs: type: Number title: Accepted Clock Skew Milleseconds hint: Time in milliseconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. Setting to -1 will disable checking these conditions entirely. default: 0 order: 22 disableRequestedAuthnContext: type: Boolean title: Disable Requested Auth Context hint: If enabled, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers. default: false order: 23 authnContext: type: String title: Auth Context hint: Name identifier format to request auth context. For multiple values, join them together using the | pipe symbol. default: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport order: 24 racComparison: type: String title: RAC Comparison Type hint: Requested Authentication Context comparison type. maxWidth: 400 order: 25 default: exact enum: - exact - minimum - maximum - better forceAuthn: type: Boolean title: Force Initial Re-authentication hint: If enabled, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session. default: false order: 26 passive: type: Boolean title: Passive hint: If enabled, the initial SAML request from the service provider specifies that the IdP should prevent visible user interaction. default: false order: 27 providerName: type: String title: Provider Name hint: Optional human-readable name of the requester for use by the presenter's user agent or the identity provider. default: wiki.js order: 28 skipRequestCompression: type: Boolean title: Skip Request Compression hint: If enabled, the SAML request from the service provider won't be compressed. default: false order: 29 authnRequestBinding: type: String title: Request Binding hint: Binding used for request authentication from IDP. maxWidth: 400 order: 30 default: 'HTTP-POST' enum: - HTTP-Redirect - HTTP-POST mappingUID: title: Unique ID Field Mapping type: String default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' hint: The field storing the user unique identifier. Can be a variable name or a URI-formatted string. order: 40 mappingEmail: title: Email Field Mapping type: String default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' hint: The field storing the user email. Can be a variable name or a URI-formatted string. order: 41 mappingDisplayName: title: Display Name Field Mapping type: String default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' hint: The field storing the user display name. Can be a variable name or a URI-formatted string. order: 42 mappingPicture: title: Avatar Picture Field Mapping type: String default: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/picture' hint: The field storing the user avatar picture. Can be a variable name or a URI-formatted string. order: 43