ForgeRock Identity Platform
Does not apply to Identity Cloud

FAQ: SAML federation in IG

Last updated Jun 8, 2021

The purpose of this FAQ is to provide answers to commonly asked questions regarding SAML federation in IG.

Frequently asked questions

Q. How should IG work for SAML federation with AM as the IdP Proxy?

A. IG as the SP and AM as the IdP Proxy should work as follows:

  1. You have an endpoint to deal with SP initiated SSO for non-authenticated users; this should redirect to .../openig/SPInitiatedSSO and be dealt with by the SamlFederationHandler that sends the SAML Authentication Response to the IdP proxy.
  2. You have an endpoint that receives the Authentication Response; this contains .../openig/fedletapplication and should be dealt with by the SamlFederationHandler that uses its configuration to map the content of the assertion and redirect.
  3. You have an endpoint that deals with SP initiated SLO; this should redirect to .../openig/SPInitiatedSLO and be dealt with by the SamlFederationHandler that sends the SAML Logout Request to the IdP proxy.
  4. You have an endpoint that receives the SLO Response; this contains .../openig/fedletSloRedirect and should be dealt with by the SamlFederationHandler that uses its configuration to redirect.
  5. AM is in charge of logging out the external IdPs, sending logout requests to the other SPs and logging out the user from the proxy itself.

No configuration on the IG side should have to actively log out another application that uses federation to log in.

Q. What are the expected access flows for IG with SAML federation using an IdP proxy?

A. The expected access flows are as follows:

IG does SP initiated SSO 

  1. The user is redirected to the IdP proxy.
  2. The user is redirected to the IdP.
  3. The user authenticates and gets an IdP session.
  4. The user gets an IdP proxy session.
  5. The user gets an IG session.

IG does a SP initiated SLO

  1. The IG initiated logout request arrives at the IdP proxy.
  2. The IdP proxy relays the request to the IdP.
  3. The IdP ends the IdP session.
  4. The IdP sends a logout response to the IdP proxy.
  5. The IdP proxy ends the IdP proxy session.
  6. The IdP proxy relays the response to IG.
  7. IG ends the session.

Q. Can I use IG as a SAML2 SP with a third-party IdP?

A. Yes you can. See How do I configure IG (All versions) as a SAML2 SP to work with a third-party IdP? for further information.

Q. How do I enable message level debug logging for SAML?

A. You can enable IG to capture the SAML log file (libSAML2) at message level as detailed in How do I generate more detailed debug logs to diagnose an issue in IG (All versions)? (Collecting SAML logs).

Q. How do I set up signing and encryption in IG?

A. It depends on what version of IG you are using:

Q. Can IG be used as a Service Provider to protect multiple applications?

A. Yes you can use a single IG server as a SAML2 Service Provider (SP) for multiple protected applications. See SAML 2.0 and Multiple Applications for further information.

See Also

Act As a SAML 2.0 Service Provider

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.