The configuration to make Authentic 2 a SAML2 service provider or a SAML2 proxy is the same. The difference comes from that Authentic 2 is may be configured or not as a SAML2 identity provider.
Go to http[s]://your.domain.com/authsaml2/metadata
You first need to create a SAML2 identity provider entry with the SAML2 metadata of the identity provider. Then, you configure it.
If your identity provider is Authentic 2, the metadata are available at:
See Where do I find the Authentic 2 SAML2 metadata? for more information.
You first need to create a new SAML2 identity provider entry. This requires the SAML2 metadata of the identity provider.
Fill the form fields
The identity provider must be enabled.
See below about configuring the identity provider with policies:
The SAML2 options of the identity provider are configured using idp options policies. For the explanation of the options see the following section.
See the administration with policy principle page How global policies are used in Authentic 2 administration.
You may create a regular policy and configure your service provider to use it.
Configure your policy and save:
Apply the policy to the identity provider:
Example with a policy ‘Default’:
Example with a policy ‘All’:
If no policy is found for the configuration of the SAML2 options of an identity provider, the following error is displayed to the users when a SSO request is initiated.
This option applies when an assertion with a persistent nameID is received and the nameID is not recognized as an existing federation.
Two values are possible: “Create new account” and “Account linking by authentication”.
The value “Create new account” makes Authentic 2 create a user account associated to the nameID received.
The value “Account linking by authentication” makes Authentic 2 ask the user to authenticate with an existing account to associate the nameID to this account.
This option applies when an assertion with a transient nameID is received and there isn’t a session opened for the user yet.
Two values are possible: “Open a session” and “Ask authentication”.
The value “Open a session” makes Authentic 2 open a session.
The value “Ask authentication” makes Authentic 2 ask for a user authentication, even when a valid assertion is received. That may have sense for instance if the SSO login is used only to receive signed attributes for users with existing accounts.
The Well-Known Location (WKL) means that the entity Id of the provider is a URL at which the provider metadata are hosted.
To refresh them, select the provider on the list of provider, then select in the menu ‘Update metadata’, then click on ‘Go’.
See the page explaining the use of the script sync-metadata How to create/import and delete in bulk SAML2 identity and service providers with the sync-metadata script?.