# Open the application SAML Identity Provider function

# Register an Authing account and create a new application

To use SAML2 IdP on the Authing cloud, you need to register an Authing account (opens new window) and create an application (opens new window).

# Create an application

In Control Panel> Apps> App List, click the "Create App" button on the right. Create Application

Create application

In the drawer that pops up on the right, enter the relevant information, application name, callback link, and authentication address can be filled in at will. The rest of the configuration can keep the default. Click "Create". Create Application

Enter application information

# Enable SAML2 Identity Provider function

Find the application you just created and click "Configuration". Configuration Application

Enter application configuration

Click the "Configure SAML2 Identity Provider" tab, and then click the "Enable SAML2 Provider" slider to enable SAML IdP. Enable SAML

Enable SAML2 Provider

# Configure SAML2 Identity Provider

Default ACS address: By default, SAML2 Identity Provider will send the SAML Response to the consumer address specified in the SAML Request (where it came from and where to go back, you can go back to Access SAML chapter Check the SAML Request, pay attention to the AssertionConsumerServiceURL, Authing will send SAML identity assertions to this address by default), if the consumer address is not specified in the SAML Request, Authing will send the SAML Response to The address filled in here. You can get it from SP to this address and fill it in here. If you can't find it at the SP, you may wish to fill in one at random, but some SPs will not specify the consumption address in the SAML Request. In this case, the correct address must be filled in**.

Settings: Advanced configuration of SAML2 Identity Provider, you need to fill in an object in JSON format, including the following:

key type description default value
samlRequestSigningCert string SAML Request certificate verification certificate, you can get the certificate content from SP. After filling in this field, the SAML Request will be considered signed, and the signature will be checked for legality. If the SP does not sign the request, it will reject the SAML Request and cause authentication failure. -
nameIdentifierFormat string The unique identifier format in the SAML Response. urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
lifetimeInSeconds number The expiration time of the SAML identity assertion, in seconds. 3600
authnContextClassRef string SAML authentication context urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
signatureAlgorithm string SAML assertion signature algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
mappings object Attribute mapping dictionary, the fields in the Authing user information are mapped to the mapping dictionary in the SAML identity assertion, the key on the left represents the user's information field in Authing, on the right The value of represents the name of the attribute in the SAML identity assertion**. No field mapping by default
destination string Destination in SAML Response The default is AssertionConsumerServiceURL in SAML Request. If it does not exist, it is the configured default ACS address
recipient string recipient in SAML Response The default is AssertionConsumerServiceURL in SAML Request, if it does not exist, it is the configured default ACS address
audience string audience in SAML Response The default is AssertionConsumerServiceURL in SAML Request. If it does not exist, it is the configured default ACS address
emailDomainSubstitution string Email domain replacement, the mailbox domain name in the identity in the SAML assertion will be replaced with the content filled in here, some SPs require the email domain in the identity assertion to be specific content. If you fill in this field, user pool registration must be prohibited, otherwise there is a risk of account fraud. -


  "audience": null,
  "recipient": "https://signin.aliyun.com/saml/SSO",
  "destination": "https://signin.aliyun.com/saml/SSO",
  "mappings": {
    "email": "Email",
    "username": "UserName"
  "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1",
  "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
  "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
  "lifetimeInSeconds": 3600,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
  "emailDomainSubstitution": "authing.onaliyun.com"

Custom SAML Response Properties: You can add some custom attributes to the SAML identity assertion, and the newly added attributes will appear in the Attribute of the SAML identity assertion.


Configure custom SAML Response properties

Configure custom SAML Response attributes

The above configuration will add the following attributes to the SAML identity assertion:

<saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">qcs::cam::uin/2165337796:roleName/authing,qcs::cam: :uin/2165337796:saml-provider/authing
<saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Test

You can also dynamically read the fields from the user information of Authing, and type in the rightmost text box in a row: My email is ${user.email} and my gender is ${user.gender}. Dynamic read user information field

Dynamically read user information fields

This content will add the following attributes to the SAML identity assertion:

<saml:Attribute Name="CustomName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">My email is yezuwei@authing.cn and my gender is M