Authing Docs

# Use Authing as SP and IdP at the same time

This tutorial describes how to use SAML2 SP and SAML2 IdP on the Authing cloud to quickly access single-point authentication capabilities for enterprises or individuals. After completing this tutorial, you will have the SAML2 Service Provider and SAML2 Identity Provider running on the Authing cloud to handle the SAML2 protocol-related process, and you only need to pay attention to the user information and JWT Token returned by Authing.

When a user accesses a protected resource, the JWT Token he carries can be verified in conjunction with the Authing SDK. If the JWT Token verification fails, you only need to redirect the user to the SAML Service Provider's cloud address. It will be responsible for exchanging information with the IdP through the SAML protocol to authenticate the user, and return the user information in JSON format.

# Create an application

In Control Panel> Apps> App List, click the "Create App" button on the right. Create Application

Create application

In the drawer that pops up on the right, enter the relevant information, application name, callback link, and authentication address can be filled in at will. The rest of the configuration can keep the default. Click "Create". Create Application

Enter application information

# Enable SAML2 Identity Provider function

Find the application you just created and click "Configuration". Configuration Application

Enter application configuration

Click the "Configure SAML2 Identity Provider" tab, and then click the "Enable SAML2 Provider" slider to enable SAML IdP. Enable SAML

Enable SAML2 Provider

# Download SAML2 Identity Provider signing certificate

Download and save the SAML2 Identity Provider signing certificate.

The download link is: https://core.authing.cn/api/v2/saml-idp/application ID/cert.

# Create a SAML2 Identity Federation

In Application Console> Connect Identity Source> Corporate Identity Source, click "Connect SAML IdP". Create SAML2 Identity Federation Connection

Create SAML2 Identity Federation Connection

In the drawer that pops up on the right, enter a connection identifier to uniquely identify this connection.

Open the certificate just downloaded in a text editor, and copy the content to the text box of the certificate verification certificate. Fill in the information

Then enter the login address and logout address of Authing SAML2 IdP in the login address and logout address input box below:

Login address: https://core.authing.cn/api/v2/saml-idp/[application ID].

Logout address: https://core.authing.cn/logout.

Fill in the information

Leave the rest of the configuration as default and click "Save".

Click the Settings button on the connection card you just created and record the ID of the SAML2 connection.

Find SAML2 connection ID

# Configure SAML2 Identity Provider

In Control Panel> Applications> Application List, find the application you just created, click "Configuration", enter the application details, and click "Configure SAML2 Identity Provider".

Default ACS address fill in the input box: https://core.authing.cn/v2/api/connection/saml/SAML2 connection ID/acs.

Fill in the following content in Settings:

{
  "audience": null,
  "recipient": null,
  "destination": null,
  "mappings": null,
  "digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha512",
  "signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
  "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
  "lifetimeInSeconds": 3600,
  "signResponse": false,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
  "samlRequestSigningCert": ""
}

Finally click "Save".

# Test connection

In the address bar of the browser, enter https://[application domain name].authing.cn. The application domain name can be found in Control Panel> Application> Application List, find the application you just created, click "Configuration", and find it on the application details page.

Find application domain name

After accessing, you can see the SAML2 identity federation connection appears in the login method.

SAML2 Identity Federation Connection

Click this button, a login box will pop up, and login in IdP. Since SAML2 IdP is also Authing, the styles of the two login boxes are similar. Log in at SAML2 Provider

Log in in the pop-up window.

Log in at SAML2 IdP

After the login is successful, the callback address is configured in the application details. The code authorization code is returned in the query of the URL. You can use code to get user information. For details, please refer to.

Login Successful

← Use SAML2 to log in to the Alibaba Cloud console →