SAML login with social identity provider

Onegini IDP has possibility to login with social identity provider by providing specific authentication context, eg. urn:com:onegini:saml:idp:facebook. Authentication context format is the same for all identity providers and looks like urn:com:onegini:saml:idp:<idp-type>, the only difference is the last part of it (idp-type).

We support identity providers with few exceptions:

Name Identifier
SAML saml
LDAP ldap

Response with no authentication context status (NoAuthnContext) will be returned if unsupported idp authentication context is passed or identity provider is disabled.

Authentication context exceptions

SAML specification has built in authentication contexts for password and kerberos. For these two you can use custom context (urn:com:onegini:saml:idp:<idp-type>) or specified (urn:oasis:names:tc:SAML:2.0:ac:classes:Password and urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos).

Example SAML authentication request to login with facebook:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://serviceprovider/saml/SSO"
    Destination="http://idp.dev.onegini.me/saml/single-sign-on" ForceAuthn="false"
    ID="aggbe3b490a74eb5baifcj4c1455d4" IsPassive="false" IssueInstant="2017-05-24T08:02:36.414Z"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">service:provider:entity:id</saml2:Issuer>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:com:onegini:saml:idp:facebook</saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>