Inbound-Saml acts a single SP Proxy in inbound identity.
You can add a trusted IDP posting directly to Persistence API or by using the module's feature (recommended) to add a TR directly from an IDP's metadata URL by sending a POST
request to inbound-saml/trust-relation-metadata
following this OpenAPI specification.
Inbound-Saml sp/authenticate
endpoint expects to receive a call with providerHost
parameter. In Gluu Server 4 (<= 4.4.1
) this is usually done by the interception script, because a pre-auth session needs to be established by Gluu Server. The default interception script expects to receive a Base64 URL Safe Encoded object in the following format:
{
"providerHost": "idp.mycustomer.org"
}
After encoding this object, this object should be passed to gluu-server (OxAuth) authorization endpoint, with the proper acr_values
(i.e. inbound_saml
).
The interception script establishes pre-auth session, decodes the providerHost
query parameter, and calls (redirects to) Inbound Saml /sp/authenticate
endpoint with the expected providerHost
parameter to continue the flow.
An example of the authorization request would be as follows:
GET https://<hostname>/oxauth/restv1/authorize?response_type=code&client_id=<client id>&redirect_uri=<callback uri>&scope=openid+profile+email+profile&state=<state>&acr_values=inbound_saml&providerHost=eyAicHJvdmlkZXJIb3N0IiA6ICJzYW1sdGVzdC5pZCIgfQ%3D%3D&nonce=YPsYOvGgipNq3tBc02Ow
Please check detailed flow example using an external RP and HTTP-POST
binding: