SAML login with social identity provider
Onegini IDP has possibility to login with social identity provider by providing specific authentication context, eg. urn:com:onegini:saml:idp:facebook
.
Authentication context format is the same for all identity providers and looks like urn:com:onegini:saml:idp:<idp-type>
, the only difference is the last part of it (idp-type
).
We support identity providers with few exceptions:
Name | Identifier |
---|---|
SAML | saml |
LDAP | ldap |
Response with no authentication context status (NoAuthnContext
) will be returned if unsupported idp authentication context is passed or identity provider is disabled.
Authentication context exceptions
SAML specification has built in authentication contexts for
password
andkerberos
. For these two you can use custom context (urn:com:onegini:saml:idp:<idp-type>
) or specified (urn:oasis:names:tc:SAML:2.0:ac:classes:Password
andurn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
).
Example SAML authentication request to login with facebook:
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://serviceprovider/saml/SSO"
Destination="http://idp.dev.onegini.me/saml/single-sign-on" ForceAuthn="false"
ID="aggbe3b490a74eb5baifcj4c1455d4" IsPassive="false" IssueInstant="2017-05-24T08:02:36.414Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">service:provider:entity:id</saml2:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:idp:facebook</saml2:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>