diff --git a/topics/clients/client-saml.adoc b/topics/clients/client-saml.adoc index 8b8087179b..7d9adbdc24 100644 --- a/topics/clients/client-saml.adoc +++ b/topics/clients/client-saml.adoc @@ -77,6 +77,14 @@ Sign Assertions:: Signature Algorithm:: Choose between a variety of algorithms for signing SAML documents. +SAML Signature Key Name:: + Signed SAML documents sent via POST binding contain identification of signing key in `KeyName` + element. This by default contains {{book.project.name}} key ID. However various vendors might + expect a different key name or no key name at all. This switch controls whether `KeyName` + contains key ID (option `KEY_ID`), subject from certificate corresponding to the realm key + (option `CERT_SUBJECT` - expected for instance by Microsoft Active Directory Federation + Services), or that the key name hint is completely omitted from the SAML message (option `NONE`). + Canonicalization Method:: Canonicalization method for XML signatures. diff --git a/topics/identity-broker/saml.adoc b/topics/identity-broker/saml.adoc index 360b4eb03f..36a525530c 100644 --- a/topics/identity-broker/saml.adoc +++ b/topics/identity-broker/saml.adoc @@ -42,6 +42,14 @@ You must define the SAML configuration options as well. They basically describe |Signature Algorithm |If `Want AuthnRequests Signed` is on, then you can also pick the signature algorithm to use. +|SAML Signature Key Name +|Signed SAML documents sent via POST binding contain identification of signing key in `KeyName` + element. This by default contains {{book.project.name}} key ID. However various external SAML IDPs might + expect a different key name or no key name at all. This switch controls whether `KeyName` + contains key ID (option `KEY_ID`), subject from certificate corresponding to the realm key + (option `CERT_SUBJECT` - expected for instance by Microsoft Active Directory Federation + Services), or that the key name hint is completely omitted from the SAML message (option `NONE`). + |Force Authentication |Indicates that the user will be forced to enter in their credentials at the external IDP even if they are already logged in.