-
Notifications
You must be signed in to change notification settings - Fork 23
Public Endpoints
This page describes the public endpoints of the OpenConext Engine and their uses.
Endpoint: /authentication/idp/metadata
This endpoint serves the SAML 2.0 Metadata of the OpenConext Engine Identity Provider (IdP). This metadata can be used by Service Providers (SPs) that want to use the Engine as their IdP. This URL is also the EntityID of this IdP.
Endpoint: /authentication/idp/metadata?sp-entity-id=https%3A%2F%2Fmysp.com%2FassertionConsume
This endpoint gives you the same metadata. Specify the Entity ID of the SP in the query parameter 'sp-entity-id'. This endpoint is necessary if an SP uses an URL to refresh the Engine metadata. If an alternative signing certificate for the Engine is configured, this new certificate will be published in the metadata. Users will then be able to log into the SP after the SP has refreshed the metadata.
Endpoint: authentication/idp/single-sign-on
Supported binding: HTTP-Redirect & HTTP-POST
The single sign on (SSO) endpoint supports receiving SAML AuthnRequests using the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect (preferred) or urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST SAML bindings.
Endpoint: /authentication/sp/metadata
This endpoint serves the SAML 2.0 Metadata of the OpenConext Engine Service Provider (SP). Hence, this is metadata for IdPs, to add the Engine as their SP.
Endpoint: /authentication/sp/consume-assertion
Supported binding: HTTP-POST
The assertion consumer service (ACS) location endpoint supports receiving SAML Responsees using the urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding
Note: In older versions (pre 5.10) we allowed HTTP GET requests on the ACS location, but only to allow more verbose error reporting. This support was dropped in favor of improved HTTP 405 error reporting in the application.
Endpoint: /authentication/proxy/idps-metadata
This endpoint serves SAML 2.0 Metadata with ALL known Engine IdPs. Each IdP entity has a different SSO Location, allowing them to be distinguised (aka "Dutch Scoping"). This metadata is suitable for SPs that want to do their own discovery (i.e. show their own WAYF), and the cannot use SAML Scoping.
Endpoint: /authentication/proxy/idps-metadata?sp-entity-id=https%3A%2F%2Fmysp.com%2FassertionConsume
This endpoint serves SAML metadata that includes all Engine IdP's that are allowed to the the SP you have configured. Furthermore, it includes fake metadata for specified SP entity. E.g. the ACS Location is "https:///assertionConsume". This metadata is suitable for SPs (E.g. Shibboleth) that required to see themselves in the metadata document.
Finally, if an alternative signing certificate is configured in the Engine, the new public key will be published in the metadata.