Authgear as SAML Identity Provider (IDP)

[fungc-io]

Problem

To enable the enterprise client to store the users in Authgear and use it to implement IdP-initiated SSO for custom applications or existing applications.

When an enterprise uses Authgear as their SAML IDP, they can use Authgear to easily manage their users, customize the login experience, and adopt advanced security measures such as 2FA.

Appetite

6 weeks

Solution

Server support

• To configure Authgear as SAML 2.0 IDP
  • Support using email or user id as “Name ID”
  • SAML Bindings:
    • HTTP Redirect and HTTP POST
  • Metadata should include:
    • Name ID format
    • Certification
    • Entity
    • Bindings
  • SAML Assertion
    • User attributes
    • Method of authn
  • Single Logout

Configuration in Authgear Portal

• To create applications on Authgear that uses SAML instead of OIDC for authentication
  • Enter ACS URL
  • Copy the IDP metadata URL or download IDP metadata XML
  • Configure attribute mappings
    • emailAddress
    • userId
    • usually supported by SP:
      • firstName
      • lastName
      • profilePicture

Success definition

Based on the “Problem” statement, define how we know if the feature is successful using event tracking.

Event definition: Event name, Action that triggered the event, Which page the user will perform this action, Event properties

Rabbit holes

Details about the solution worth calling out to avoid problems

No-goes

Functionality or use cases we intentionally aren’t covering to fit the appetite

Reference

• Tool to test SAML assertion: https://samltool.io/
• Browser extension - SAML Tracer: https://chromewebstore.google.com/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch
• Example of a metadata.xml

  
    
      
        
          ...
        
      
    
    
    
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    urn:oasis:names:tc:SAML:2.0:nameid-format:transient