# Open the application SAML Identity Provider function

Open the application SAML Identity Provider function

# Register an Authing account and create a new application

To use SAML2 IdP on the Authing cloud, you need to register an Authing account (opens new window) and create an application (opens new window).

# Create an application

In Control Panel> Apps> App List, click the "Create App" button on the right. Create Application

Create application

In the drawer that pops up on the right, enter the relevant information, application name, callback link, and authentication address can be filled in at will. The rest of the configuration can keep the default. Click "Create". Create Application

Enter application information

# Enable SAML2 Identity Provider function

Find the application you just created and click "Configuration". Configuration Application

Enter application configuration

Click the "Configure SAML2 Identity Provider" tab, and then click the "Enable SAML2 Provider" slider to enable SAML IdP.

Enable SAML2 Provider

# Configure SAML2 Identity Provider

Default ACS address: By default, SAML2 Identity Provider will send the SAML Response to the consumer address specified in the SAML Request (where it came from and where to go back, you can go back to Access SAML chapter Check the SAML Request, pay attention to the AssertionConsumerServiceURL, Authing will send SAML identity assertions to this address by default), if the consumer address is not specified in the SAML Request, Authing will send the SAML Response to The address filled in here. You can get it from SP to this address and fill it in here. If you can't find it at the SP, you may wish to fill in one at random, but some SPs will not specify the consumption address in the SAML Request. In this case, the correct address must be filled in**.

Settings: Advanced configuration of SAML2 Identity Provider, you need to fill in an object in JSON format, including the following:

key	type	description	default value
samlRequestSigningCert	string	SAML Request certificate verification certificate, you can get the certificate content from SP. After filling in this field, the SAML Request will be considered signed, and the signature will be checked for legality. If the SP does not sign the request, it will reject the SAML Request and cause authentication failure.	-
nameIdentifierFormat	string	The unique identifier format in the SAML Response.	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
lifetimeInSeconds	number	The expiration time of the SAML identity assertion, in seconds.	3600
authnContextClassRef	string	SAML authentication context	urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
signatureAlgorithm	string	SAML assertion signature algorithm	http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
mappings	object	Attribute mapping dictionary, the fields in the Authing user information are mapped to the mapping dictionary in the SAML identity assertion, the key on the left represents the user's information field in Authing, on the right The value of represents the name of the attribute in the SAML identity assertion**.	No field mapping by default
destination	string	Destination in SAML Response	The default is `AssertionConsumerServiceURL` in SAML Request. If it does not exist, it is the configured default ACS address
recipient	string	recipient in SAML Response	The default is `AssertionConsumerServiceURL` in SAML Request, if it does not exist, it is the configured default ACS address
audience	string	audience in SAML Response	The default is `AssertionConsumerServiceURL` in SAML Request. If it does not exist, it is the configured default ACS address
emailDomainSubstitution	string	Email domain replacement, the mailbox domain name in the identity in the SAML assertion will be replaced with the content filled in here, some SPs require the email domain in the identity assertion to be specific content. If you fill in this field, user pool registration must be prohibited, otherwise there is a risk of account fraud.	-

Example:

{
  "audience": null,
  "recipient": "https://signin.aliyun.com/saml/SSO",
  "destination": "https://signin.aliyun.com/saml/SSO",
  "mappings": {
    "email": "Email",
    "username": "UserName"
  },
  "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1",
  "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
  "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
  "lifetimeInSeconds": 3600,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
  "SamlRequestSigningCert": "----- BEGIN CERTIFICATE -----  nMIICyDCCAjGgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCdXMx  nDTALBgNVBAgMBGFzZGYxDTALBgNVBAoMBGFzZGYxGDAWBgNVBAMMD2lkcDMuYXV0  naGluZy5jbjENMAsGA1UEBwwEYXNkZjENMAsGA1UECwwEYXNkZjEbMBkGCSqGSIb3  nDQEJARYMYXNkZkAxMjMuY29tMB4XDTE5MDUyNTA1NTgwMFoXDTIwMDUyNDA1NTgw  nMFowgYAxCzAJBgNVBAYTAnVzMQ0wCwYDVQQIDARhc2RmMQ0wCwYDVQQKDARhc2Rm  nMRgwFgYDVQQDDA9pZHAzLmF1dGhpbmcuY24xDTALBgNVBAcMBGFzZGYxDTALBgNV  nBAsMBGFzZGYxGzAZBgkqhkiG9w0BCQEWDGFzZGZAMTIzLmNvbTCBnzANBgkqhkiG  n9w0BAQEFAAOBjQAwgYkCgYEA2gggFHKUYkoEp83BfGgVjBiev + MIBm + AOuKVqIAX  naJDa1NHL + ApBWsfbKNoPPMy8sZdCBrDm6w5cx9cBjw4uBUap3elxr + MiFoCCc2Eg  nJundFhBVXkU6TafLzfoW4w6 / yonmQ798nBKQrTmdc76tpT9xCwU2AmS5ooScQ9Xu  nNn0CAwEAAaNQME4wHQYDVR0OBBYEFMDHVJxYcOlCxnnRi1Lx4tj7gWKNMB8GA1Ud  nIwQYMBaAFMDHVJxYcOlCxnnRi1Lx4tj7gWKNMAwGA1UdEwQFMAMBAf8wDQYJKoZI  nhvcNAQEFBQADgYEAvDodW / ewvCEadY4PCFaBT0ZqoEvrb96hOrbP2hZV4lkCMbLq  noPWASgGTNr9TPnxGCvP9xOv77wzgLs7EAOI + ea1D + NIjUuKnjCLLBv034vMp8bRI  n / Ea9AsGqVCr8tK / 3dPoJ MxHIjs2cpqNdDcalCZkwBZ1Z0c0YtKIVDFnym5U=\n-----END CERTIFICATE-----",
  "emailDomainSubstitution": "authing.onaliyun.com"
}

Custom SAML Response Properties: You can add some custom attributes to the SAML identity assertion, and the newly added attributes will appear in the Attribute of the SAML identity assertion.

Example:

Configure custom SAML Response properties

Configure custom SAML Response attributes

The above configuration will add the following attributes to the SAML identity assertion:

<saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  <saml:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">qcs::cam::uin/2165337796:roleName/authing,qcs::cam: :uin/2165337796:saml-provider/authing
  </saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  <saml:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Test
  </saml:AttributeValue>
</saml:Attribute>

You can also dynamically read the fields from the user information of Authing, and type in the rightmost text box in a row: My email is ${user.email} and my gender is ${user.gender}. Dynamic read user information field

Dynamically read user information fields

This content will add the following attributes to the SAML identity assertion:

<saml:Attribute Name="CustomName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  <saml:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">My email is yezuwei@authing.cn and my gender is M
  </saml:AttributeValue>
</saml:Attribute>

← Authorize with OAuth Create SAML2 Identity Federation Connection →