SAML application attributes
Audience
The application or the Service Provider (SP) verifies if the Audience matches the recipient of a SAML response. The Audience is defined by your application and is optional. It has a URL format, for example https://sp.your-company.com/SAML
.
Audience is an attribute of WEB
Assertion Consumer Service URL
The Assertion Consumer Service URL directs the Identity Cloud identity provider where to send its SAML response after successful user authentication.
Assertion Consumer Service URL is an attribute of WEB
Identity Cloud issuer
Identity Cloud uses the value of Identity Cloud issuer for the 'Issuer' in the SAML response. It is generated by Identity Cloud based on your domain. To learn about your domain, see Domain.
Add Identity Cloud issuer to the configuration of your service provider to validate the SAML response.
For more information on how Identity Cloud uses SAML, see SAML 2.0 endpoints.
Identity Cloud issuer is an attribute of WEB
Identity Cloud signer certificate
Identity Cloud uses the Identity Cloud signer certificate to sign outgoing SAML messages, for example, the SAML response. It is generated by Identity Cloud.
Add the Identity Cloud signer certificate to the configuration of your service provider to validate the signature.
Identity Cloud signer certificate is an attribute of WEB
Issuer
The Service Provider uses the Issuer to validate SAML assertions. The Issuer needs to be unique and is a maximum of 1024 characters long.
In a SAML response, the Issuer contains the 'Entity ID' of the Identity Provider (IdP) in a URL format.
In the following example, the Issuer is https://idcloud-customer.com:443
.
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://nevis-idc-poc.zendesk.com/access/saml" ID="Response_4198c277f78bdddc6407a4f000ecbb9bc736a21d" InResponseTo="samlr-646cc9ee-6181-11ec-8c71-9a44010eccb8" IssueInstant="2021-12-20T10:42:01.290Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idcloud-customer.com:443</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="Assertion_5095c848844fec0df9b41ba804d400a00b474b7c" IssueInstant="2021-12-20T10:42:01.287Z" Version="2.0">
<saml2:Issuer>https://idcloud-customer.com:443</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#Assertion_5095c848844fec0df9b41ba804d400a00b474b7c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>UU/if6/6HlYrRS7rCTadVYAU1LuuHZEPI83lwSHdMZI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID>[email protected]</saml2:NameID>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-12-20T10:42:01.287Z" NotOnOrAfter="2021-12-20T10:43:01.287Z">
<saml2:AudienceRestriction>
<saml2:Audience>nevis-idc-poc.zendesk.com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AttributeStatement>
<saml2:Attribute Name="external_id">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">372c3bbd-3e6b-44b5-baff-5ad33d199467</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">User</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Test</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Issuer is an attribute of WEB
Metadata endpoint
The Metadata endpoint returns SAML metadata in XML format. The metadata includes: EntityID, endpoints, the X.509 certificate for signing SAML messages, as well as the NameID format. The metadata can be used by Service Providers (SPs) to configure their SAML integration with Identity Cloud.
Metadata endpoint is an attribute of WEB
Outbound binding
Outbound binding defines how SAML messages are returned to the initiating application.
Identity Cloud instructs the user agent, browser to send the message to the Assertion Consumer Service URL
Use either an 'HTTP POST', or an 'HTTP redirect' (302) leading to a 'GET'.
- Post - uses a self-submitting form to send a
POST
. The message is included in the body. - Redirect - uses a
302
redirect to send aGET
. The message is included as a query parameter.
As the differences are minimal, you can choose what your service provider prefers.
Outbound binding is an attribute of WEB
SSO service URL
SSO service URL is the URL of the SAML 2.0 Identity Provider. Identity Cloud uses the same URL for all supported SAML 2.0 flows. It is provided by Identity Cloud.
Configure the SSO service URL in your application or SAML 2.0 Service Provider (SP).
The SP initiates authentication by making the user agent (for example, browser) send a SAML authentication request (AuthnRequest
) to the SSO service URL using Post or Redirect.
SSO service URL is an attribute of WEB
Subject
Subject defines whether the User Id or the Email is used in the Subject of the SAML Assertion
.
Example for User Id:
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">eb363ae0-b2b2-4cc6-9e7b-36dcf84cd20c</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2022-07-15T08:51:09.529Z"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
Example for Email:
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2022-07-15T08:47:38.035Z"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
We recommend selecting User Id, as this value never changes for a given user and does not expose the user email.
Select Email only if your service provider needs the user's email in the Subject.
Subject is an attribute of WEB
X509 Signer Certificate
X509 Signer Certificate is needed if your SP signs the AuthnRequest. It is defined by your application and is optional.
The X509 Signer Certificate has to be encoded in PEM format.
You can extract the certificate from the configuration of the Service Provider (SP), or the SAML metadata file of the SP.
X509 Signer Certificate is an attribute of WEB