Federation with SAML2.0


The eIAM-Web PEP provides information about the identity and other attributes (e.g. authorisation roles) of the end user via this interface by means of a SAML token.

The setup of a federated authentication with SAML 2.0 from the application's point of view is done either according to the "IDP intitiated" or the "SP initiated" scenario.

eIAM generally only offers "SP intitiated" because this gives the application more freedom. The SAML 2.0 specification offers a variety of scenarios, profiles, bindings and parameters. If these do not match between the application and the eIAM web, the eIAM web and the application cannot communicate successfully and the application cannot be integrated into the eIAM service.

Functionality

Depending on your needs, there are two types of federation available
  1. STS-PEP for standard eIAM integration (eIAM provides a token service)
  2. RP-PEP for eIAM integration with high protection needs (eIAM managed reverse proxy)
SAML 2.0 Integrationpattern STS-PEP (Default)
SAML 2.0 Integrationpattern RP-PEP

Detailed technical requirements

Here you can find all technical details needed to setup federation with eIAM properly.
SAML 2.0 configuration (metadata)