A federated organisation may have multiple distinct services (service providers) where each service is protected under a distinct trust domain. The same organisation may wish to trust multiple external & internal identity providers and allow the end user to select their preferred identity provider.

In order to support multiple services and multiple identity providers and possible multiple rules an Authentication Broker Service is required.


Name Description Default value Mandatory
sp The entity ID when acting as an SP. Must be sam value as entityID. N/A Yes
issueAsIDPID The entity ID when acting as an IDP N/A Yes
targetIDP ID of SAMLMETA idp entity in store to use for authentication. This is the external IdP. N/A Yes
acsURL The URL to receive the assertion. Should reference to same authenticator '/authenticate/authenticator_alias'. N/A Yes
entityID ID of SAMLSP entity in store that will be used for interaction with the external IdP. Must be sam value as sp. N/A Yes
addsignature Sign the authentication request (true/false). true No
pipeIDAssertionConsume Id of the pipe used when consuming an incoming assertion N/A Yes
pipeIDAssertionProduce Id of the pipe used when creating an outgoing assertion N/A Yes
discoveryUrl If using IDP discovery this should point to the location of the discovery service N/A No
samlAuthMethod The value put in the AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport No

Example Configuration

    "id": "broker",
    "alias": "broker",
    "name": "SAMLSPBroker",
    "displayName": "Broker",
    "configuration": {
        "sp": "https://myserver/saml/broker",
        "issueAsIDPID": "https://myserver/saml/idp",
        "pipeIDAssertionConsume": "pipeAssertionConsumer",
        "pipeIDAssertionProduce": "pipeAssertionConsumer",
        "targetIDP": "https://external_idp/idp",
        "acsUrl": "https://myserver/saml/authenticate/broker",
        "entityID": "https://myserver/saml/broker",
        "addsignature": "false"