Endpoints

Identity Cloud supports SAML 2.0, and serves as identity provider.

Applications supporting SAML 2.0 serve as service providers, and can use Identity Cloud to authenticate users using the Web Browser SSO Profile.

Single sign-on service

Service providers can initiate a login by redirecting the user agent (browser) to the Identity Cloud single sign-on service (SSO). The SSO service URL is:

https://${instanceId}.id.nevis.cloud/auth/saml/sso/

The SSO service supports HTTP-POST and HTTP-Redirect binding.

The following parameters are supported:

• SAMLRequest - required.
• RelayState - optional.

The SAMLRequest has to contain a SAML AuthnRequest message. It is required that the AuthnRequest contains an Issuer element, and the AssertionConsumerService attribute.

When validating incoming requests, both values are compared to what you entered when adding the application.

• Issuer
• Assertion Consumer Service URL

It is recommended to sign the AuthnRequest to rule out that an attacker can send the user to the SSO service URL requesting authentication.

The RelayState may be used by service providers to redirect the user back to the originally requested application. Identity Cloud returns the provided value after successful authentication.

Service providers should validate the value received in the RelayState to prevent that the user is redirected to a malicious third party.

When using HTTP-POST binding, the parameters must be sent in the request body.

When using HTTP-Redirect binding, SAML messages must be sent using query parameters. The following example illustrates the basic URL structure:

https://${instanceId}.id.nevis.cloud/auth/saml/sso/?SAMLRequest=...&RelayState=...

The order of query parameters does not matter.

The SAMLRequest query parameter has to contain a deflated, base64-encoded, and URL-encoded AuthnRequest message.

Known issues and limitations

During login, an initial session is created in Identity Cloud. The session has a short idle timeout.

If the session expires during login, the next request restarts the login flow from the beginning.

In case of HTTP-POST binding, the SAML authentication request is lost, and thus the login fails.

Metadata service

SAML metadata is an XML document that contains information about SAML-enabled parties.

Identity Cloud offers a metadata service that can provide such a document to describe the Identity Cloud as identity provider.

The metadata service URL is the following:

https://${instanceId}.id.nevis.cloud/auth/saml/metadata/

The following XML extract illustrates a typical response.

note

To improve readability, we removed elements that are long or too specific, and added line breaks and indention.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="__e18a16e3d97b260042dbf7eb4ac37286d9ffcf48">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#__e18a16e3d97b260042dbf7eb4ac37286d9ffcf48">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>...</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>...</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>...</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <md:EntityDescriptor ID="__d0c493ef2ea31c0bc4519070cc731b32d16a02ad" entityID="https://idcloud-customer.com:443">
        <md:IDPSSODescriptor ID="__5315c454545db30fd0b313eb9c091081caa6073a" WantAuthnRequestsSigned="false" cacheDuration="P0Y0M0DT1H0M0.000S" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" validUntil="2022-03-01T10:06:24.584Z">
            <md:KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Data>
                        <ds:X509SKI>...</ds:X509SKI>
                        <ds:X509Certificate>...</ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </md:KeyDescriptor>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://${instanceId}.id.nevis.cloud/auth/saml/sso/"/>
            <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://${instanceId}.id.nevis.cloud/auth/saml/sso/"/>
            ...
        </md:IDPSSODescriptor>
    </md:EntityDescriptor>
</md:EntitiesDescriptor>

Known issues and limitations

• Calling the endpoint fails when no applications of Protocol type SAML are added.
• Even if you have more than one application of Protocol type SAML, only one SAML metadata document is returned.
• Attributes mentioned in this topic may apply to some applications only.