# SAML integration OpenIAM supports SAML 2.0 in two distinct roles: * **OpenIAM as IdP** — OpenIAM authenticates users and sends SAML assertions to external Service Providers (e.g., Salesforce, AWS, a custom app) * **OpenIAM as SP** — OpenIAM delegates authentication to an external Identity Provider (e.g., ADFS, Okta, Azure AD) and accepts their assertions Both roles are configured in the same Admin UI area (Auth Providers) but use different provider types. ## Concepts

Term	Meaning
IdP	Identity Provider — authenticates the user and issues the SAML assertion
SP	Service Provider — the application that relies on the IdP for authentication
Assertion	Signed XML blob containing the user's identity and attributes
AuthnRequest	XML message the SP sends to the IdP to initiate login
ACS URL	Assertion Consumer Service URL — the SP endpoint that receives the SAMLResponse
Metadata	XML document describing an IdP or SP (endpoints, certificates, NameID formats)
JIT	Just-in-Time provisioning — creating/updating a user on first SAML login

## OpenIAM as IdP In this role OpenIAM: * Receives `AuthnRequest` from an SP (or initiates SSO itself) * Authenticates the user (login page, MFA, etc.) * Issues a signed `SAMLResponse` with an `Assertion` back to the SP's ACS URL ### Creating a SAML IdP Provider To create SAML IdP provider, log in to **Webconsole** and navigate to **Access Control** → **Authentication Providers** → **+ New Provider** → **Type:** SAML Identity Provider {% stepper %} {% step %} ### Fill in the required information fields

Field	Required	Description
Name	Yes	Human-readable label (e.g., `Salesforce – Prod`)
Managed System	Yes	The managed system this provider is linked to
Assertion Consumer URL	Yes	The SP's ACS URL — where OpenIAM will POST the SAMLResponse
Request Issuer	Yes	The `EntityID` of this IdP configuration (used in the assertion's `<Issuer>`)
Response Issuer	No	Overrides the `<Issuer>` in the SAMLResponse (defaults to Request Issuer)
Audiences	No	Audience restrictions added to `<AudienceRestriction>` in the assertion

{% endstep %} {% step %} ### Configure signing and encryption

Field	Description
Sign Metadata	Include an `<ds:Signature>` element in the published metadata
Signing Algorithm	e.g., `RSA-SHA256` (`http://www.w3.org/2001/04/xmldsig-more#rsa-sha256`)
Canonicalization Algorithm	e.g., `Exclusive C14N` (`http://www.w3.org/2001/10/xml-exc-c14n#`)
Digest Algorithm	e.g., `SHA-256` (`http://www.w3.org/2001/04/xmlenc#sha256`)
Want Assertions Signed	Sign the `<Assertion>` element inside the response
Want Response Signed	Sign the outer `<Response>` element
Public / Private Key	X.509 certificate + PKCS8 private key used for signing (and optionally encryption)
Send Encrypted Assertion	Encrypt the `<Assertion>` element before sending
Data Encryption Algorithm	Symmetric algorithm for assertion encryption (e.g., AES-256-CBC)
Key Encryption Algorithm	Algorithm for wrapping the symmetric key (e.g., RSA-OAEP)

{% endstep %} {% step %} ### Configure authentication

Field	Description
Auth Context Class Ref	Value placed in `<AuthnContextClassRef>` (e.g., `urn:oasis:names:tc:SAML:2.0:ac:classes:Password`)
Protected by 2FA	Force MFA challenge before issuing the assertion

{% endstep %} {% step %} ### Configure NameID format

Field	Description
NameID Format	Format of the Subject NameID (see NameID Formats)
NameID Qualifier	Optional qualifier to scope the NameID value

{% endstep %} {% step %} ### Configure single logout

Field	Description
Logout URL	SP's SLO endpoint — where OpenIAM sends `LogoutRequest` / `LogoutResponse`
Logout Binding	`POST` or `Redirect`
Want Logout Requests Signed	Require the SP to sign its `LogoutRequest` messages

{% endstep %} {% step %} ### Attribute mapping Add rows to the attribute table to include user attributes in the assertion's ``:

Field	Description
SAML Attribute Name	The `Name` attribute in the `<saml:Attribute>` element
Data Type	`String`, `Integer`, `Boolean`, `Date`, `DateTime`, `URI`, `Base64`, `HexBinary`
Source	One of: User Attribute (pick from resource attributes), Static Value, Groovy Script

{% endstep %} {% step %} ### Advanced / Customization

Field	Description
Post-Processor Groovy Script	Runs after the assertion is built; can modify or add attributes
NameID Resolver Groovy Script	Custom logic to compute the NameID value for the subject
RelayState	Static value or Groovy-generated; echoed back through the SAML flow
Enable Chaining	Pass the request on to another auth provider after this one

{% endstep %} {% step %} ### Save and share metadata Click **Save**, then copy the **Metadata URL** and share it with the SP administrator: ``` IdP Metadata URL: https://{host}/idp/saml2/idp/metadata/{providerId} IdP-Initiated SSO URL: https://{host}/idp/saml2/idp/initiate/{providerId} ``` Most SPs support automatic metadata import via URL. If the SP requires a file, download the XML from the metadata URL and upload it. {% endstep %} {% endstepper %} ## IdP endpoints reference All endpoints are on the IDP module. Base URL: `https://{host}/idp`

Endpoint	Method	Description
`/saml2/idp/metadata/{providerId}`	GET / POST	SAML IdP Metadata (EntityDescriptor XML)
`/saml2/idp/login`	GET / POST	SP-initiated SSO — receives `SAMLRequest` (AuthnRequest)
`/saml2/idp/login/{randomId}`	GET / POST	SP-initiated SSO with session-specific ID
`/saml2/idp/initiate/{id}`	GET / POST	IdP-initiated SSO — no AuthnRequest required
`/saml2/idp/logout`	GET / POST	SLO — receives `LogoutRequest` from SP or `LogoutResponse` from other IdP
`/saml2/idp/globalLogout`	GET / POST	Initiates global logout across all active SPs in the session

### IdP-Initiated SSO Flow {% stepper %} {% step %} ### User navigates to the IdP-initiated SSO URL ``` GET https://{host}/idp/saml2/idp/initiate/{providerId} (optionally: ?RelayState=https://app.example.com/dashboard) ``` {% endstep %} {% step %} ### OpenIAM authenticates the user OpenIAM authenticates the user (login page if no session). {% endstep %} {% step %} ### OpenIAM builds SAMLResponse {% code overflow="wrap" expandable="true" %} ``` {responseIssuer} ... {userId} {audience} {authContextClassRef} jane@example.com ``` {% endcode %} {% endstep %} {% step %} ### OpenIAM auto-submits the response to the SP ``` POST {assertionConsumerURL} SAMLResponse= RelayState= ``` {% endstep %} {% endstepper %} ### SP-Initiated SSO Flow (IdP side) {% stepper %} {% step %} ### SP redirects the user to OpenIAM ``` GET https://{host}/idp/saml2/idp/login ?SAMLRequest= &RelayState= &SigAlg=... &Signature=... (if SP signs the request) ``` {% endstep %} {% step %} ### OpenIAM validates the AuthnRequest OpenIAM decodes and validates the AuthnRequest. {% endstep %} {% step %} ### User authenticates User authenticates (login page / MFA / existing session). {% endstep %} {% step %} ### OpenIAM posts the SAMLResponse to the SP's ACS URL OpenIAM POSTs SAMLResponse to the SP's ACS URL (same as step 3-4 above). {% endstep %} {% endstepper %} ### Single Logout (IdP side) **SP-initiated SLO:** {% stepper %} {% step %} ### SP sends LogoutRequest to OpenIAM ``` POST /saml2/idp/logout SAMLRequest= ``` {% endstep %} {% step %} ### OpenIAM terminates the user's session OpenIAM terminates the user's session. {% endstep %} {% step %} ### OpenIAM notifies other SPs OpenIAM sends LogoutRequest to each other SP that was part of this session. {% endstep %} {% step %} ### OpenIAM sends the final LogoutResponse After all SPs acknowledge (LogoutResponse), OpenIAM sends final LogoutResponse back to the initiating SP. {% endstep %} {% endstepper %} **OpenIAM-initiated global logout:** ``` GET /saml2/idp/globalLogout → OpenIAM sends LogoutRequest to all SPs in the session, then terminates it. ``` ## OpenIAM as SP In this role OpenIAM: * Redirects or POSTs an `AuthnRequest` to the external IdP's SSO endpoint * Receives the `SAMLResponse` (assertion) at its ACS endpoint * Validates the assertion and creates an authenticated session * Optionally provisions the user on first login (JIT) ### Creating a SAML SP provider Creating a SAML SP provider, log in to **Webconsole** and navigate to **Access Control** → **Authentication Providers** → **+ New Provider** → **Type:** SAML Service Provider {% stepper %} {% step %} ### Fill in the required information

Field	Required	Description
Name	Yes	Human-readable label (e.g., `Azure AD – Corp`)
Managed System	Yes	The managed system representing this external IdP
Authentication Policy	Yes	Policy applied after successful SAML login
Password Policy	Yes	Password policy assigned to JIT-provisioned users
Request Issuer	Yes	The `EntityID` of this SP — sent as `<Issuer>` in the AuthnRequest
SAML Issuer Format	Yes	Format URI for the issuer element (e.g., `urn:oasis:names:tc:SAML:2.0:nameid-format:entity`)
Login URL	Yes	The external IdP's SSO endpoint URL
Login Binding	Yes	`POST` or `Redirect` (how the AuthnRequest is sent to the IdP)
Include Destination in AuthnRequest	No	Adds a `Destination` attribute to the AuthnRequest XML

{% endstep %} {% step %} ### Signing

Field	Description
Sign Metadata	Sign the SP metadata document
Sign AuthnRequests	Include a signature on outgoing `AuthnRequest` messages
Want Assertions Signed	Reject assertions that are not signed by the IdP
Signing Algorithm / Canonicalization / Digest	Same algorithms as IdP (must match what the external IdP expects)
Public / Private Key	SP's key pair for signing AuthnRequests and decrypting encrypted assertions

{% endstep %} {% step %} ### Configure authentication

Field	Description
Auth Context Class Ref	Value requested in `<RequestedAuthnContext>` in the AuthnRequest

{% endstep %} {% step %} ### NameID Format

Field	Description
NameID Format in SAML Request	Format URI requested in `<NameIDPolicy>` in the AuthnRequest

{% endstep %} {% step %} ### Configure single logout

Field	Required	Description
Logout URL	Yes	External IdP's SLO endpoint — where OpenIAM sends `LogoutRequest`
Logout Binding	Yes	`POST` or `Redirect`

{% endstep %} {% step %} ### Attribute mapping Same table as the IdP case, but here the mappings define **how incoming assertion attributes are written to the OpenIAM user profile**:

Column	Description
SAML Attribute Name	The attribute `Name` to extract from the incoming assertion
Data Type	Expected data type
Source	Target: User Attribute (maps to a user field), Static Value, or Groovy Script

{% endstep %} {% step %} ### Advanced / Customization

Field	Description
JIT SAML Authenticator Script	Groovy script run on first login to create or update the user (see JIT)
Post-Processor Groovy Script	Runs after assertion validation; can enrich the session
RelayState	Static value or Groovy-generated; preserves the original request URL
Enable Chaining	Pass authentication on to another provider after this one

{% endstep %} {% step %} ### Save and share metadata ``` SP Metadata URL: https://{host}/idp/saml2/sp/metadata/{providerId} SP ACS URL: https://{host}/idp/saml2/sp/login SP SLO URL: https://{host}/idp/saml2/sp/logout/{providerId} ``` Provide the metadata URL (or downloaded XML) to the external IdP administrator so they can register OpenIAM as a trusted SP. {% endstep %} {% endstepper %} ### SP Endpoints reference

Endpoint	Method	Description
`/saml2/sp/metadata/{providerId}`	GET	SP Metadata (EntityDescriptor XML)
`/saml2/sp/login`	GET	Generates and sends `AuthnRequest` to the external IdP
`/saml2/sp/login`	POST	ACS — receives `SAMLResponse` from the external IdP
`/saml2/sp/logout/{providerId}`	GET / POST	Initiates SLO — sends `LogoutRequest` to the external IdP
`/saml2/sp/logout`	GET / POST	Receives `LogoutRequest` or `LogoutResponse` from the external IdP

### SP-Initiated SSO flow {% stepper %} {% step %} ### User tries to access a protected resource User tries to access a resource protected by the SAML SP provider. {% endstep %} {% step %} ### OpenIAM generates an AuthnRequest ``` {requestIssuer} {authContextClassRef} ``` {% endstep %} {% step %} ### OpenIAM sends the request to the external IdP OpenIAM redirects (or POSTs) the user to the IdP's Login URL with `SAMLRequest=` and `RelayState`. {% endstep %} {% step %} ### External IdP authenticates the user External IdP authenticates the user and POSTs SAMLResponse to: ``` POST https://{host}/idp/saml2/sp/login SAMLResponse= RelayState= ``` {% endstep %} {% step %} ### OpenIAM validates the response * Verifies IdP signature * Checks Issuer, Conditions (NotBefore/NotOnOrAfter), AudienceRestriction * Decrypts assertion (if encrypted) * Extracts attributes {% endstep %} {% step %} ### JIT provisioning runs if needed If the user is unknown and JIT is configured → runs JIT script. {% endstep %} {% step %} ### OpenIAM creates the session and redirects OpenIAM creates an authenticated session and redirects to RelayState or default URL. {% endstep %} {% endstepper %} ## Just-in-Time user provisioning When a user logs in via an external IdP for the first time (or on every login to keep attributes in sync), the **JIT SAML Authenticator Script** (Groovy) is invoked. The script receives the full set of assertion attributes and can: * Look up the user by email/username * Create a new user if not found * Update profile attributes (name, department, roles, etc.) * Return the resolved `userId` for session creation Configure the script in **Authentication Provider** → **Customization** → JIT SAML Authenticator Groovy Script. ### Single Logout (SP side) **SP-initiated SLO:** {% stepper %} {% step %} ### User logs out from OpenIAM User logs out from OpenIAM. {% endstep %} {% step %} ### OpenIAM sends LogoutRequest to the external IdP ``` POST/Redirect → {logoutURL} SAMLRequest= ``` {% endstep %} {% step %} ### External IdP responds with LogoutResponse ``` POST https://{host}/idp/saml2/sp/logout SAMLResponse= ``` {% endstep %} {% step %} ### OpenIAM terminates the local session OpenIAM terminates the local session. {% endstep %} {% endstepper %} **IdP-initiated SLO:** {% stepper %} {% step %} ### External IdP sends LogoutRequest to OpenIAM ``` POST https://{host}/idp/saml2/sp/logout SAMLRequest= ``` {% endstep %} {% step %} ### OpenIAM terminates the local session and responds OpenIAM terminates the local session and sends LogoutResponse back. {% endstep %} {% endstepper %} ## Shared configuration ### Certificates and signing Each SAML provider (IdP or SP) has its own X.509 certificate + private key pair. **In the Admin UI:** * Upload or paste the **Public Certificate** (PEM format) * Upload or paste the **Private Key** (PKCS8 PEM format) * Or click **Generate** to create a self-signed key pair The public certificate is embedded in the provider's metadata `` element so the other party can verify signatures. **Recommended signing configuration:**

Algorithm	Recommended value
Signing	`http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` (RSA-SHA256)
Canonicalization	`http://www.w3.org/2001/10/xml-exc-c14n#` (Exclusive C14N)
Digest	`http://www.w3.org/2001/04/xmlenc#sha256` (SHA-256)

### Attribute mapping The **Attribute Mapping Table** is present on both IdP and SP providers. **On an IdP provider** — defines which attributes are included in the outgoing assertion. │ │

SAML Attribute Name	Data type	Source
`email`	String	User Attribute → `user.email`
`firstName`	String	User Attribute → `user.firstName`
`department`	String	User Attribute → `user.department`
`role`	String	Groovy Script → (compute from groups)
`env`	String	Static Value → production

**On an SP provider** — defines how incoming assertion attributes are written back to the user.

SAML Attribute Name	Data type	Source
`http://schemas.../givenname`	String	User Attribute → `user.firstName`
`http://schemas.../surname`	String	User Attribute → `user.lastName`
`http://schemas.../groups`	String	Groovy Script → (assign roles)

### NameID Formats

Format	URI
Persistent	`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`
Transient	`urn:oasis:names:tc:SAML:2.0:nameid-format:transient`
Email Address	`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
X.509 Subject	`urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName`
Windows Domain	`urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName`
Kerberos	`urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos`
Entity	`urn:oasis:names:tc:SAML:2.0:nameid-format:entity`
Unspecified	`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`

* **IdP** — set `NameID Format` to control what format the issued assertion uses * **SP** — set `NameID Format in SAML Request` to request a specific format from the external IdP ### Bindings

Binding	Description	Typical use
HTTP POST	SAMLRequest / SAMLResponse in an auto-submitted HTML form body	Large assertions, SLO responses
HTTP Redirect	SAMLRequest as a deflated, base64-encoded URL query parameter	AuthnRequest (lighter payload)

Most SPs and IdPs support both. POST is the default in OpenIAM. ### Metadata Import / Export Instead of filling in every field manually, you can import an existing metadata XML: **On the IdP provider form:** * **Generate from SP Metadata** — upload the SP's metadata XML; OpenIAM extracts the ACS URL, certificate, NameID formats, and SLO URL * **Generate from IdP Metadata** — upload another IdP's metadata for chaining scenarios **On the SP provider form:** * **Generate from IdP Metadata** — upload the external IdP's metadata XML; OpenIAM extracts the SSO URL, certificate, SLO URL, and NameID formats **Admin REST API for metadata import:** ``` # IdP provider: import from SP metadata POST /rest/api/authprovider/saml/idp/keys/generateFromSPMetadata Content-Type: multipart/form-data (file: SP metadata XML) # SP provider: import from IdP metadata POST /rest/api/authprovider/saml/sp/keys/generateFromIDPMetadata Content-Type: multipart/form-data (file: IdP metadata XML) ``` ### Provider chaining A SAML provider can forward authentication to another provider in sequence: * **IdP → SP chain**: the IdP provider authenticates the user, then passes the session to an SP provider that calls an upstream IdP * **SP → IdP chain**: after receiving an assertion from an upstream IdP, pass the authenticated session to a local IdP provider that issues its own assertion to a downstream SP Configure in: ``` Auth Provider → Advanced → Enable Chaining → Next Auth Provider (select) ``` ### RelayState strategy RelayState is an opaque string passed through the SAML flow to preserve context (e.g., the original page the user was trying to reach).

Option	Description
Static Value	Always use the same fixed string
Groovy Script	Compute the value dynamically per request (receives request context)

## Field reference ### Common Fields

Field	Type	Description
`requestIssuer`	String	`EntityID` sent as `<Issuer>` in outgoing messages
`signingAlgorithm`	String (URI)	XML signature algorithm
`canonicalizationAlgorithm`	String (URI)	XML canonicalization algorithm
`digestAlgorithm`	String (URI)	XML digest algorithm
`authContextClassRef`	String (URI)	Authentication context class reference
`logoutBinding`	Enum	`POST` or `Redirect` for SLO messages
`logoutURL`	String	SLO endpoint of the other party
`wantAssertionsSigned`	Boolean	Require `<Assertion>` to be signed
`signAuthnRequests`	Boolean	Sign outgoing `AuthnRequest` messages
`nameIdResolverGroovyScriptId`	String	Script ID for custom NameID computation
`postProcessGroovyScriptId`	String	Script ID for post-assertion processing
`relayStateStaticValue`	String	Fixed RelayState value
`relayStateGeneratorGroovyScriptId`	String	Script ID for dynamic RelayState
`chainingEnabled`	Boolean	Forward to another provider after this one
`nextAuthProviderId`	String	ID of the next provider in the chain

### IdP-specific fields

Field	Type	Description
`assertionConsumerURL`	String	SP's ACS URL — destination for the SAMLResponse
`responseIssuer`	String	`<Issuer>` value in the SAMLResponse (overrides requestIssuer)
`audiences`	List<String>	Audience URIs in `<AudienceRestriction>`
`nameIdFormat`	String (URI)	NameID format used in the issued assertion
`nameQualifier`	String	NameID qualifier / scope
`sendEncryptedAssertion`	Boolean	Encrypt the `<Assertion>` element
`dataEncryptionAssertionAlgorithm`	String (URI)	Symmetric encryption algorithm for assertion
`keyEncryptionAssertionAlgorithm`	String (URI)	Key-wrapping algorithm for the symmetric key
`protectedBy2FA`	Boolean	Require 2FA before issuing the assertion
`wantResponseSigned`	Boolean	Sign the outer `<Response>` element (in addition to `<Assertion>`)

### SP-specific fields

Field	Type	Description
`loginURL`	String	External IdP's SSO endpoint URL
`loginBinding`	Enum	`POST` or `Redirect` for the outgoing AuthnRequest
`samlIssuerFormat`	String (URI)	Format URI for the `<Issuer>` element in the AuthnRequest
`nameIdFormatInSAMLRequest`	String (URI)	NameID format requested in `<NameIDPolicy>`
`includeDestinationInAuthnRequest`	Boolean	Add `Destination` attribute to the AuthnRequest
`justInTimeSAMLAuthenticatorScriptId`	String	JIT provisioning Groovy script ID
`authPolicyId`	String	Authentication policy applied after successful login
`policyId`	String	Password policy for JIT-provisioned users
`wantAssertionsSigned`	Boolean	Reject unsigned assertions from the IdP

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-beta.openiam.com/federation/saml-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.