Valve used to create a SAML assertion. This is applicable in scenarios where PhenixID Server acts as a SAML Identity Provider.

This valve requires the Current Item Set to contain one and only one item. This item is used to populate the assertion with values.


Name Description Default value Mandatory Supports property expansion
targetEntityID The entityID of the IdP issuing the assertion.   Yes Yes
sourceID The entityID of the SP the assertion is aimed for.   No Yes
additionalAttributes The item properties to be used as attribute(s) in the assertion. Comma-separated.   No No
nameIDAttribute The item property to be used as nameID in the assertion.   Yes No
authMetod Use to override default value in the SAML AuthnContextClassRef   No Yes
misc Additional properties to be set, supports property expansion:
  • excludeSubjectNotBefore -> Include/exclude subject not before. Default: false
  • nameIdFormat – NameIDFormat to be used. Full urn format. Supports transient, persistent, unspecified. Default: unspecified
  • signMessage – Sign whole response? Default: true
  • signAssertion – Sign assertion? Default: false
  • audienceRestriction – The audience restriction to be set in the assertion. Default: same value as sourceID
  No No

Example Configuration

    "name": "AssertionProvider",
    "config": {
        "targetEntityID": "PhenixID_IdP",
        "nameIDAttribute": "carLicense",
        "misc": [{
              "excludeSubjectNotBefore": "true",
              "nameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
              "signMessage": "false",
              "signAssertion": "true",
              "audienceRestriction": "urn:federation:MicrosoftOnline"
         "sourceID": "urn:federation:MicrosoftOnline",
         "additionalAttributes": "IDPEmail"


SAML module is deployed.