keycloak-scim/docs/guides/securing-apps/partials/saml/idp_element.adoc
rmartinc ccab30d5f2 Move saml documentation to guides
Closes #31330

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-24 11:50:24 +02:00

37 lines
1.9 KiB
Text

== IDP Element
Everything in the IDP element describes the settings for the identity provider (authentication server) the SP is communicating with.
[source,xml]
----
<IDP entityID="idp"
signaturesRequired="true"
signatureAlgorithm="RSA_SHA1"
signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
...
</IDP>
----
Here are the attribute config options you can specify within the `IDP` element declaration.
entityID::
This is the issuer ID of the IDP. This setting is _REQUIRED_.
signaturesRequired::
If set to `true`, the client adapter will sign every document it sends to the IDP.
Also, the client will expect that the IDP will be signing any documents sent to it.
This switch sets the default for all request and response types, but you will see later that you have some fine grain control over this.
This setting is _OPTIONAL_ and will default to `false`.
signatureAlgorithm::
This is the signature algorithm that the IDP expects signed documents to use.
Allowed values are: `RSA_SHA1`, `RSA_SHA256`, `RSA_SHA512`, and `DSA_SHA1`.
This setting is _OPTIONAL_
and defaults to `RSA_SHA256`. Note that `SHA1` based algorithms are deprecated and can be removed in the future.
We recommend the use of some more secure algorithm instead of `*_SHA1`. Also, with `*_SHA1` algorithms, verifying signatures
do not work if the SAML server (usually {project_name}) runs on Java 17 or higher.
signatureCanonicalizationMethod::
This is the signature canonicalization method that the IDP expects signed documents to use. This setting is _OPTIONAL_.
The default value is `\http://www.w3.org/2001/10/xml-exc-c14n#` and should be good for most IDPs.
metadataUrl::
The URL used to retrieve the IDP metadata, currently this is only used to pick up signing and encryption keys periodically which allow cycling of these keys on the IDP without manual changes on the SP side.