...
Once you have configured your Identity Provider to accept SAML authentication requests from Ubisecure SSO Server, the IDP Proxy method has been set up.
Sending AssertionConsumerServiceURL in the Authentication Message
Ubisecure SSO can send the AssertionConsumerServiceURL of the assertion consumer service associated with the IDP proxy authentication method. This feature can be turned on with the compatibility flag 'SendAssertionConsumerServiceURL'ExplicitUnspecifiedAuthnContextClassRef
Forces value urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified to AuthnContextClassRef in an outbound SAML2 Authentication Response. This is regardless of what might have been received in an inbound SAML2 Authentication Response. This improves compatibility with third-party applications and third-party identity providers which send different values than expected.
In all cases, negotiation between connected parties for agreed values for AuthnContextClassRef should be the first approach.
Compatibility Flags
There are various compatibility flags that can be used with SAML2 Authentication Methods.
|
|---|
| Figure 2. SAML authentication method with SendAssertionConsumerServiceURL feature enabled |
SendAssertionConsumerServiceURL
Forces sending AssertionConsumerServiceURL. Some services require this optional element.
FinnishTrustNetwork
Forces sending the Finnish Trust Network SAML 2.0 Protocol Profile version 1.0 compliant SAML2 Extension ftn.
Note that only the information listed below is included in the element:
- UI locale of the login page
An example of the included Extensions element is shown below.
SAML2 Extension for FTN
<samlp:Extensions> <lg>fi</lg> </ftn></samlp:Extensions> |