keycloak-scim/docs/guides/securing-apps/partials/saml/idp_singlesignonservice_subelement.adoc
rmartinc ccab30d5f2 Move saml documentation to guides
Closes #31330

Signed-off-by: rmartinc <rmartinc@redhat.com>
2024-07-24 11:50:24 +02:00

47 lines
2 KiB
Text

[[_sp-idp-singlesignonservice]]
== IDP SingleSignOnService sub element
The `SingleSignOnService` sub element defines the login SAML endpoint of the IDP.
The client adapter will send requests
to the IDP formatted via the settings within this element when it wants to log in.
[source,xml]
----
<SingleSignOnService signRequest="true"
validateResponseSignature="true"
requestBinding="post"
bindingUrl="url"/>
----
Here are the config attributes you can define on this element:
signRequest::
Should the client sign authn requests? This setting is _OPTIONAL_.
Defaults to whatever the IDP `signaturesRequired` element value is.
validateResponseSignature::
Should the client expect the IDP to sign the assertion response document sent back from an authn request?
This setting _OPTIONAL_. Defaults to whatever the IDP `signaturesRequired` element value is.
requestBinding::
This is the SAML binding type used for communicating with the IDP. This setting is _OPTIONAL_.
The default value is `POST`, but you can set it to `REDIRECT` as well.
responseBinding::
SAML allows the client to request what binding type it wants authn responses to use.
The values of this can be `POST` or `REDIRECT`. This setting is _OPTIONAL_.
The default is that the client will not request a specific binding type for responses.
assertionConsumerServiceUrl::
URL of the assertion consumer service (ACS) where the IDP login service should send responses to.
This setting is _OPTIONAL_. By default it is unset, relying on the configuration in the IdP.
When set, it must end in `/saml`, for example `\http://sp.domain.com/my/endpoint/for/saml`. The value
of this property is sent in `AssertionConsumerServiceURL` attribute of SAML `AuthnRequest` message.
This property is typically accompanied by the `responseBinding` attribute.
bindingUrl::
This is the URL for the IDP login service that the client will send requests to. This setting is _REQUIRED_.