Couper Documentation

edge

SAML

The saml block lets you configure the saml_sso_url() function and an access control for a SAML Assertion Consumer Service (ACS) endpoint. Like all access control types, the saml block is defined in the definitions block and can be referenced in all configuration blocks by its required label.

Block nameContextLabel
samlDefinitions Block⚠ required

Example

A complete example can be found here.

saml "SSO" {  idp_metadata_file = "idp-metadata.xml"  sp_entity_id = env.SP_ENTITY_ID  sp_acs_url = "http://localhost:8080/saml/acs"  array_attributes = ["eduPersonAffiliation"] # or ["memberOf"]}

Attributes

NameTypeDefaultDescription
array_attributes
tuple (string)
[]

A list of assertion attributes that may have several values. Results in at least an empty array in request.context.<label>.attributes.<name>

custom_log_fields
object
-

Log fields for custom logging. Inherited by nested blocks.

idp_metadata_file
string
-

File reference to the Identity Provider metadata XML file.

sp_acs_url
string
-

The URL of the Service Provider's ACS endpoint. Relative URL references are resolved against the origin of the current request URL. The origin can be changed with the accept_forwarded_url attribute if Couper is running behind a proxy.

sp_entity_id
string
-

The Service Provider's entity ID.

Some information from the assertion consumed at the ACS endpoint is provided in the context at request.context.<label>:

  • the NameID of the assertion's Subject (request.context.<label>.sub)
  • the session expiry date SessionNotOnOrAfter (as UNIX timestamp: request.context.<label>.exp)
  • the attributes (request.context.<label>.attributes.<name>)

Nested Blocks

NameDescription
error_handler

Configures an error handler (zero or more).