Federate IdP with SAML2 IdP

SAML2(Security Assertion Markup Language) is an open standard that enables users to sign in once and access multiple applications and services.

If you've developed applications using your own SAML2 Identity Provider (IdP), you can federate this IdP with the IdP (Identity Application) created in the SiX IDaaS & IAM tenancy for your new application. By enabling authentication federation, your application users can log in using their existing SAML2 IdP credentials, while authorization is centrally managed through the IAM system in the SiX IDaaS & IAM console.

TIP

After federation, your IdP user will benefit from MFA, personal information sharing consent control, more at: Overview of Data Security & Privacy

TIP

Authentication federation refers to authentication delegation. After the Identity Provider (IdP) in the SiX IDaaS & IAM tenancy receives the authentication request, it delegates the request to the existing SAML2 IdP.

Steps to federate IdP with SAML2 IdP

1. Create an SiX IDaaS & IAM IdP(identity application) tenant

On SiX IDaaS & IAM console, go to "Authentication -> Create Identity Application" to create an IdP(identity application) tenant, change the "Authentication Sources:" to "SAML2 authentication source(identity provider)".

2. Set the federated IdP "SAML2 client" parameters

Set the federated IdP "SAML2 client" parameters. An image

WARNING

Please ensure to set the "Assertion Consumer Service" URL of the federating IDP to federated SAML IDP, Url is: “https://{appDomain}/sp/saml2/acs/{spIdentityId}”, use the ID of identity application as {spIdentityId}!

Ensure your federated SAML IdP is correctly configured with the right parameters!

3. Create an OAuth2 Client tenant and associate it with IdP tenant

Creaate an OAuth2 Client tenant on the SiX IDaaS & IAM console and associate it with IdP(identity application) tenant.

Create IdP for SPA

4. Use the OAuth2 Client in your application

Apply the OAuth2 Client tenant information in your application to initiate the authentication process, when the authentication process is triggered, SiX IDaaS & IAM will handle the authentication federation process automatically.

TIP

Since the SiX IDaaS & IAM OAuth2 client also support the SAML2 protocol, you can still use your existing SAML2 client in your application, you need to switch your SAML2 client connecting parameters. an example at: SSO integration with Salesforce as SP

5. Your application get ID information and associate it with your local user ID

You can get the IdP tenant "openId" and the ID of federated SAML2 provider user through parsing JWT and use /userinfo endpoint.

Federate IdP with SAML2 IdP ​

Steps to federate IdP with SAML2 IdP ​

1. Create an SiX IDaaS & IAM IdP(identity application) tenant ​

2. Set the federated IdP "SAML2 client" parameters ​

3. Create an OAuth2 Client tenant and associate it with IdP tenant ​

4. Use the OAuth2 Client in your application ​

5. Your application get ID information and associate it with your local user ID ​