Skip to main content

SAML application attributes

Audience

The application or the Service Provider (SP) verifies if the Audience matches the recipient of a SAML response. The Audience is defined by your application and is optional. It has a URL format, for example https://sp.your-company.com/SAML.

info

Audience is an attribute of WEB

Assertion Consumer Service URL

The Assertion Consumer Service URL directs the Identity Cloud identity provider where to send its SAML response after successful user authentication.

info

Assertion Consumer Service URL is an attribute of WEB

Identity Cloud issuer

Identity Cloud uses the value of Identity Cloud issuer for the 'Issuer' in the SAML response. It is generated by Identity Cloud based on your domain. To learn about your domain, see Domain.

Add Identity Cloud issuer to the configuration of your service provider to validate the SAML response.

For more information on how Identity Cloud uses SAML, see SAML 2.0 endpoints.

info

Identity Cloud issuer is an attribute of WEB

Identity Cloud signer certificate

Identity Cloud uses the Identity Cloud signer certificate to sign outgoing SAML messages, for example, the SAML response. It is generated by Identity Cloud.

Add the Identity Cloud signer certificate to the configuration of your service provider to validate the signature.

info

Identity Cloud signer certificate is an attribute of WEB

Issuer

The Service Provider uses the Issuer to validate SAML assertions. The Issuer needs to be unique and is a maximum of 1024 characters long.

In a SAML response, the Issuer contains the 'Entity ID' of the Identity Provider (IdP) in a URL format.

In the following example, the Issuer is https://idcloud-customer.com:443.

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://nevis-idc-poc.zendesk.com/access/saml" ID="Response_4198c277f78bdddc6407a4f000ecbb9bc736a21d" InResponseTo="samlr-646cc9ee-6181-11ec-8c71-9a44010eccb8" IssueInstant="2021-12-20T10:42:01.290Z" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idcloud-customer.com:443</saml2:Issuer>
  <saml2p:Status>
    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
  </saml2p:Status>
  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="Assertion_5095c848844fec0df9b41ba804d400a00b474b7c" IssueInstant="2021-12-20T10:42:01.287Z" Version="2.0">
    <saml2:Issuer>https://idcloud-customer.com:443</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
        <ds:Reference URI="#Assertion_5095c848844fec0df9b41ba804d400a00b474b7c">
          <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
              <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
            </ds:Transform>
          </ds:Transforms>
          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
          <ds:DigestValue>UU/if6/6HlYrRS7rCTadVYAU1LuuHZEPI83lwSHdMZI=</ds:DigestValue>
        </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>...</ds:SignatureValue>
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>...</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </ds:Signature>
    <saml2:Subject>
      <saml2:NameID>[email protected]</saml2:NameID>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2021-12-20T10:42:01.287Z" NotOnOrAfter="2021-12-20T10:43:01.287Z">
      <saml2:AudienceRestriction>
        <saml2:Audience>nevis-idc-poc.zendesk.com</saml2:Audience>
      </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AttributeStatement>
      <saml2:Attribute Name="external_id">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">372c3bbd-3e6b-44b5-baff-5ad33d199467</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml2:AttributeValue>
      </saml2:Attribute>
      <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Test</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>
</saml2p:Response>
info

Issuer is an attribute of WEB

Metadata endpoint

The Metadata endpoint returns SAML metadata in XML format. The metadata includes: EntityID, endpoints, the X.509 certificate for signing SAML messages, as well as the NameID format. The metadata can be used by Service Providers (SPs) to configure their SAML integration with Identity Cloud.

info

Metadata endpoint is an attribute of WEB

Outbound binding

Outbound binding defines how SAML messages are returned to the initiating application.

Identity Cloud instructs the user agent, browser to send the message to the Assertion Consumer Service URL

Use either an 'HTTP POST', or an 'HTTP redirect' (302) leading to a 'GET'.

  • Post - uses a self-submitting form to send a POST. The message is included in the body.
  • Redirect - uses a 302 redirect to send a GET. The message is included as a query parameter.

As the differences are minimal, you can choose what your service provider prefers.

info

Outbound binding is an attribute of WEB

SSO service URL

SSO service URL is the URL of the SAML 2.0 Identity Provider. Identity Cloud uses the same URL for all supported SAML 2.0 flows. It is provided by Identity Cloud.

Configure the SSO service URL in your application or SAML 2.0 Service Provider (SP).

The SP initiates authentication by making the user agent (for example, browser) send a SAML authentication request (AuthnRequest) to the SSO service URL using Post or Redirect.

info

SSO service URL is an attribute of WEB

Subject

Subject defines whether the User Id or the Email is used in the Subject of the SAML Assertion.

Example for User Id:

<saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">eb363ae0-b2b2-4cc6-9e7b-36dcf84cd20c</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData NotOnOrAfter="2022-07-15T08:51:09.529Z"/>
    </saml2:SubjectConfirmation>
</saml2:Subject>

Example for Email:

<saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml2:SubjectConfirmationData NotOnOrAfter="2022-07-15T08:47:38.035Z"/>
    </saml2:SubjectConfirmation>
</saml2:Subject>

We recommend selecting User Id, as this value never changes for a given user and does not expose the user email.

Select Email only if your service provider needs the user's email in the Subject.

info

Subject is an attribute of WEB

X509 Signer Certificate

X509 Signer Certificate is needed if your SP signs the AuthnRequest. It is defined by your application and is optional.

The X509 Signer Certificate has to be encoded in PEM format.

You can extract the certificate from the configuration of the Service Provider (SP), or the SAML metadata file of the SP.

info

X509 Signer Certificate is an attribute of WEB