Endpoints
Identity Cloud supports SAML 2.0, and serves as identity provider.
Applications supporting SAML 2.0 serve as service providers, and can use Identity Cloud to authenticate users using the Web Browser SSO Profile.
Single sign-on service
Service providers can initiate a login by redirecting the user agent (browser) to the Identity Cloud single sign-on service (SSO). The SSO service URL is:
https://${instanceId}.id.nevis.cloud/auth/saml/sso/
The SSO service supports HTTP-POST and HTTP-Redirect binding.
The following parameters are supported:
SAMLRequest
- required.RelayState
- optional.
The SAMLRequest
has to contain a SAML AuthnRequest
message.
It is required that the AuthnRequest
contains an Issuer
element, and the AssertionConsumerService
attribute.
When validating incoming requests, both values are compared to what you entered when adding the application.
It is recommended to sign the AuthnRequest
to rule out that an attacker
can send the user to the SSO service URL requesting authentication.
The RelayState
may be used by service providers to redirect the user back to the originally requested application.
Identity Cloud returns the provided value after successful authentication.
Service providers should validate the value received in the RelayState
to prevent that the user is redirected to a malicious third party.
When using HTTP-POST binding, the parameters must be sent in the request body.
When using HTTP-Redirect binding, SAML messages must be sent using query parameters. The following example illustrates the basic URL structure:
https://${instanceId}.id.nevis.cloud/auth/saml/sso/?SAMLRequest=...&RelayState=...
The order of query parameters does not matter.
The SAMLRequest
query parameter has to contain a deflated, base64-encoded, and URL-encoded AuthnRequest
message.
During login, an initial session is created in Identity Cloud. The session has a short idle timeout.
If the session expires during login, the next request restarts the login flow from the beginning.
In case of HTTP-POST binding, the SAML authentication request is lost, and thus the login fails.
Metadata service
SAML metadata is an XML document that contains information about SAML-enabled parties.
Identity Cloud offers a metadata service that can provide such a document to describe the Identity Cloud as identity provider.
The metadata service URL is the following:
https://${instanceId}.id.nevis.cloud/auth/saml/metadata/
The following XML extract illustrates a typical response.
To improve readability, we removed elements that are long or too specific, and added line breaks and indention.
<?xml version="1.0" encoding="UTF-8"?>
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="__e18a16e3d97b260042dbf7eb4ac37286d9ffcf48">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#__e18a16e3d97b260042dbf7eb4ac37286d9ffcf48">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:EntityDescriptor ID="__d0c493ef2ea31c0bc4519070cc731b32d16a02ad" entityID="https://idcloud-customer.com:443">
<md:IDPSSODescriptor ID="__5315c454545db30fd0b313eb9c091081caa6073a" WantAuthnRequestsSigned="false" cacheDuration="P0Y0M0DT1H0M0.000S" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" validUntil="2022-03-01T10:06:24.584Z">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509SKI>...</ds:X509SKI>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://${instanceId}.id.nevis.cloud/auth/saml/sso/"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://${instanceId}.id.nevis.cloud/auth/saml/sso/"/>
...
</md:IDPSSODescriptor>
</md:EntityDescriptor>
</md:EntitiesDescriptor>
- Calling the endpoint fails when no applications of Protocol type SAML are added.
- Even if you have more than one application of Protocol type SAML, only one SAML metadata document is returned.
- Attributes mentioned in this topic may apply to some applications only.