Skip to content
IDToken

SAML 2.0 IdP

The IDToken Auth Server can act as a SAML 2.0 Identity Provider (IdP), translating passwordless IDToken authentication into SAML assertions for enterprise Service Providers.

This enables organizations to integrate IDToken with existing SAML-based applications (e.g., corporate SSO, SaaS platforms) without modifying them.

SAML Endpoints

Section titled “SAML Endpoints”

Metadata

Section titled “Metadata”
GET /saml/metadata

Returns the IdP’s SAML 2.0 metadata (IDPSSODescriptor) for SP configuration.

Includes:

  • Entity ID
  • Signing certificate
  • Encryption certificate (if configured)
  • SSO bindings (HTTP-Redirect and HTTP-POST)
  • SLO bindings
  • Supported NameID formats: persistent, transient, emailAddress

Single Sign-On (HTTP-Redirect)

Section titled “Single Sign-On (HTTP-Redirect)”
GET /saml/sso

Receives an AuthnRequest via HTTP-Redirect binding.

Query Parameters

Section titled “Query Parameters”
ParameterDescription
SAMLRequestDeflated + Base64 encoded AuthnRequest
RelayStateOptional relay state to preserve through the flow

Single Sign-On (HTTP-POST)

Section titled “Single Sign-On (HTTP-POST)”
POST /saml/sso

Receives an AuthnRequest via HTTP-POST binding.

Form Fields

Section titled “Form Fields”
FieldDescription
SAMLRequestBase64 encoded AuthnRequest
RelayStateOptional relay state

Single Logout

Section titled “Single Logout”
GET /saml/slo

Receives a LogoutRequest via HTTP-Redirect binding.

POST /saml/slo

Receives a LogoutRequest via HTTP-POST binding.

SSO Flow

Section titled “SSO Flow”

When a SAML SP sends an AuthnRequest to IDToken:

SP ApplicationIDToken IdPMobile AppAuthnRequest(HTTP-Redirect or POST)IDToken authOTP + face verificationAuth verifiedSAMLResponse(POST to ACS)User logged in
  1. The SP redirects the user to /saml/sso with an AuthnRequest
  2. IDToken parses and validates the AuthnRequest (issuer, ACS URL, signature)
  3. The standard IDToken auth flow runs (OTP + mobile confirmation)
  4. After authentication, IDToken builds a signed SAML Assertion
  5. The assertion is POSTed to the SP’s Assertion Consumer Service (ACS) URL

SAML Assertion

Section titled “SAML Assertion”

The assertion contains IDToken identity claims mapped to SAML attribute OIDs:

Attribute Mapping

Section titled “Attribute Mapping”
IDToken ClaimSAML Attribute OIDName
tokenId1.3.6.1.4.1.51528.3.1IDToken Token ID
givenName2.5.4.42Given Name
familyName2.5.4.4Family Name
dateOfBirth1.3.6.1.4.1.51528.3.2Date of Birth
nationality1.3.6.1.4.1.51528.3.3Nationality
trustLevel1.3.6.1.4.1.51528.3.4Trust Level

Custom Attribute Mapping

Section titled “Custom Attribute Mapping”

SPs can define custom attribute name overrides in their registration:

{
  "attribute_map": {
    "givenName": "FirstName",
    "familyName": "LastName",
    "tokenId": "UserID"
  }
}

NameID Formats

Section titled “NameID Formats”
FormatValue
persistentThe user’s tokenId (stable across sessions)
transientRandom UUID (unique per session)

AuthnContext

Section titled “AuthnContext”

The AuthnContextClassRef reflects the trust level:

Trust LevelAuthnContext
1-2MobileTwoFactorUnregistered
3MobileTwoFactorContract

Service Provider Configuration

Section titled “Service Provider Configuration”

Each registered Service Provider is defined by the following fields:

FieldDescription
entity_idSP’s unique SAML entity identifier
acs_urlWhere to POST the SAML Response
slo_urlSingle Logout endpoint (optional)
signing_cert_pemSP’s cert for verifying AuthnRequest signatures
encrypt_assertionsWhether to encrypt assertions (AES + RSA-OAEP)
required_trust_levelMinimum trust level for this SP (1, 2, or 3)
attribute_mapCustom attribute name overrides

Single Logout (SLO)

Section titled “Single Logout (SLO)”

IDToken supports SP-initiated Single Logout:

  1. SP sends a LogoutRequest with the user’s NameID and optional SessionIndex
  2. IDToken invalidates the Redis session (if SessionIndex provided)
  3. IDToken returns a LogoutResponse via HTTP-Redirect binding