¶ Become SAML2 Identity Source

This article introduces how to enable Authing as SAML2 identity provider, provide assertion to other service providers. Authing can be integrated with third-party applications through the SAML2 protocol You can understand the SAML2 protocol in depth here.

¶ Create an Application

For your application to have identity authentication capabilities, you need to create an application in Authing. It is recommended to fill in the name of your actual application project. In Console > Applications > Application List, click “Create Application”.

Fill in the application name, for example, Web Note Project, feel free to fill in an authentication address. Finally, click “Create”.

¶ Configure SAML2 Identity Provider

To use your organization and users for SAML2 authentication, you need to enable and configure the application's SAML2 identity provider. Find your application and go to the "Enable Identity Provider" tab.

In the "SAML2 Identity Provider" card, turn on the Enable SAML2 Provider switch and fill in the default ACS address and settings information. Then click “Save”. The specific ACS address will be provided by the SAML SP, and the specific setting items need to be configured according to the requirements of the SAML SP.

Default ACS address: By default, SAML2 Identity Provider will send the SAML Response to the consumer address specified in the SAML Request (go back where it comes from, by default, Authing will send the SAML assertion to the address specified by the AssertionConsumerServiceURL parameter in the SAML Request). If the consumer address is not specified in the SAML Request, Authing will send the SAML Response to the address filled in here. You can get this address from SP and fill it in here. If you can't find it at the SP, you can fill in one arbitrarily, but some SPs will not specify the consumer address in the SAML Request. In this case, the correct address must be filled in here.

Settings: Advanced configuration of SAML2 Identity Provider, you need to fill in an object in JSON format, including the following:

Example：

{
  "audience": null,
  "recipient": "https://signin.aliyun.com/saml/SSO",
  "destination": "https://signin.aliyun.com/saml/SSO",
  "mappings": {
    "email": "Email",
    "username": "UserName"
  },
  "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1",
  "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
  "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
  "lifetimeInSeconds": 3600,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
  "samlRequestSigningCert": "-----BEGIN CERTIFICATE-----\nMIICyDCCAjGgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCdXMx\nDTALBgNVBAgMBGFzZGYxDTALBgNVBAoMBGFzZGYxGDAWBgNVBAMMD2lkcDMuYXV0\naGluZy5jbjENMAsGA1UEBwwEYXNkZjENMAsGA1UECwwEYXNkZjEbMBkGCSqGSIb3\nDQEJARYMYXNkZkAxMjMuY29tMB4XDTE5MDUyNTA1NTgwMFoXDTIwMDUyNDA1NTgw\nMFowgYAxCzAJBgNVBAYTAnVzMQ0wCwYDVQQIDARhc2RmMQ0wCwYDVQQKDARhc2Rm\nMRgwFgYDVQQDDA9pZHAzLmF1dGhpbmcuY24xDTALBgNVBAcMBGFzZGYxDTALBgNV\nBAsMBGFzZGYxGzAZBgkqhkiG9w0BCQEWDGFzZGZAMTIzLmNvbTCBnzANBgkqhkiG\n9w0BAQEFAAOBjQAwgYkCgYEA2gggFHKUYkoEp83BfGgVjBiev+MIBm+AOuKVqIAX\naJDa1NHL+ApBWsfbKNoPPMy8sZdCBrDm6w5cx9cBjw4uBUap3elxr+MiFoCCc2Eg\nJundFhBVXkU6TafLzfoW4w6/yonmQ798nBKQrTmdc76tpT9xCwU2AmS5ooScQ9Xu\nNn0CAwEAAaNQME4wHQYDVR0OBBYEFMDHVJxYcOlCxnnRi1Lx4tj7gWKNMB8GA1Ud\nIwQYMBaAFMDHVJxYcOlCxnnRi1Lx4tj7gWKNMAwGA1UdEwQFMAMBAf8wDQYJKoZI\nhvcNAQEFBQADgYEAvDodW/ewvCEadY4PCFaBT0ZqoEvrb96hOrbP2hZV4lkCMbLq\noPWASgGTNr9TPnxGCvP9xOv77wzgLs7EAOI+ea1D+NIjUuKnjCLLBv034vMp8bRI\n/Ea9AsGqVCr8tK/3dPoJMxHIjs2cpqNdDcalCZkwBZ1Z0c0YtKIVDFnym5U=\n-----END CERTIFICATE-----",
  "emailDomainSubstitution": "authing.onaliyun.com"
}

Custom SAML Response Attribute: You can add some custom attributes to the SAML assertion, and the newly added attributes will appear in the Attribute of the SAML assertion.

Example:

The above configuration will add the following attributes to the SAML identity assertion

<saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  <saml:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">qcs::cam::uin/2165337796:roleName/authing,qcs::cam::uin/2165337796:saml-provider/authing
  </saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="https://cloud.tencent.com/SAML/Attributes/RoleSessionName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  <saml:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Test
  </saml:AttributeValue>
</saml:Attribute>

You can also dynamically read the fields from Authing user information, and type in the rightmost text box in a row: My email is ${user.email} and my gender is ${user.gender}.

The content of this article will add the following attributes to the SAML assertion:

<saml:Attribute Name="CustomName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  <saml:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">My email is yezuwei@authing.cn and my gender is M
  </saml:AttributeValue>
</saml:Attribute>

¶ Integration with applications

Authing has already integrated SAML2 with Alibaba Cloud, Tencent Cloud, Huawei Cloud, AWS, and Kibana (AWS). Check the corresponding configuration documents for detailed steps.

¶ Log in Alibaba Cloud Console (China)

Please check the integrated documentation.

¶ Log in Alibaba Cloud Console (International)

Please check the integrated documentation.

¶ Log in Tencent Cloud Console

Please check the integrated documentation.

¶ Log in AWS Console (China)

Please check the integrated documentation.

¶ Log in Huawei Cloud Console (China)

Please check the integrated documentation.

¶ Log in Kibana Console (AWS China)

Please check the integrated documentation.