Knogin
[Moduły podstawowe]

Authentication: SAML 2.0 Federation

SAML 2.0 (Security Assertion Markup Language) is the dominant enterprise and government authentication federation standard, underpinning single sign-on across health systems, defence networks, tax authorities, and nation

Metadane modulu

SAML 2.0 (Security Assertion Markup Language) is the dominant enterprise and government authentication federation standard, underpinning single sign-on across health systems, defence networks, tax authorities, and nation

Powrót do wszystkich modułów

Odwolanie do zrodla

content/modules/auth-saml-federation.md

Ostatnia aktualizacja

18 mar 2026

Kategoria

Moduły podstawowe

Suma kontrolna tresci

daf32168a7d00dcb

Tagi

modulescompliancegeospatial

Renderowana dokumentacja

Ta strona renderuje Markdown i Mermaid modulu bezposrednio z publicznego zrodla dokumentacji.

Overview#

SAML 2.0 (Security Assertion Markup Language) is the dominant enterprise and government authentication federation standard, underpinning single sign-on across health systems, defence networks, tax authorities, and national digital identity frameworks. SAML federates authentication between an Identity Provider (IdP, which holds user credentials and issues assertions) and Service Providers (SPs, which consume assertions to grant access). Argus implements SAML 2.0 SP functionality and maintains a registry of trusted IdP configurations, allowing operators at partner agencies and customer organisations to authenticate to Argus using their existing enterprise credentials without creating separate Argus accounts.

Key Features#

Identity Provider Registry#

Each trusted SAML IdP is registered with entity ID, metadata URL, and display name. Argus fetches IdP metadata (containing the X.509 signing certificate and SSO endpoint URLs) via 

fetchSamlProviderMetadata
and persists it locally. Metadata is periodically re-fetched to capture certificate rotations and endpoint changes before they cause authentication failures.

Metadata-Driven Configuration#

Argus follows the SAML 2.0 metadata management model -- rather than manually configuring signing certificates and endpoint URLs, all IdP parameters are derived from the published metadata document. This means IdP certificate rotations are handled automatically: the next metadata fetch picks up the new certificate before the old one expires.

Entity ID and Issuer Validation#

Every SAML assertion received is validated against the registered entity ID for the issuing IdP. Assertions from unregistered entity IDs are rejected. This prevents SAML response injection attacks where an attacker attempts to substitute an assertion from a different (weaker or attacker-controlled) IdP.

Attribute Mapping#

SAML attributes in the assertion (typically carrying email address, display name, organisation, and group memberships) are mapped to Argus user profile fields and role assignments. The attribute mapping is configurable per IdP -- two different customer IdPs may use different attribute name conventions for the same conceptual data.

Multi-IdP Support for Allied Operations#

Operations involving multiple nations or organisations naturally involve multiple IdPs -- each partner nation runs its own national IdP. Argus's multi-IdP registry allows operators from Allied nation A to authenticate via their national IdP while operators from Allied nation B use their own, within the same Argus deployment serving the combined operation.

Session Management#

SAML-authenticated sessions respect IdP-issued session validity periods and support SAML Single Logout (SLO). When an IdP terminates a user session (e.g., after the IdP session timeout or explicit logout), SLO propagates the termination to Argus, preventing the use of SAML sessions after the IdP has revoked them.

Use Cases#

  • National SOC to Government IdP Integration: A national cybersecurity agency operates Argus for government CERT functions. All government employees authenticate via the national government IdP (eIDAS-linked in EU member states), providing federated SSO with hardware-backed credentials and no Argus-local password management.
  • Allied Exercise Federated Access: During NATO cyber exercises, operators from member states need platform access. Each nation's exercise team authenticates through their national defence IdP, with Argus consuming the assertion and automatically mapping to appropriate exercise roles based on SAML group attributes.
  • Defence Contractor Access: Prime and sub-contractors requiring access to mission planning domains use their company IdP rather than manually provisioned accounts, with project duration scoping managed at the IdP group level.
  • NIS2 Compliance for Government IdP Mandates: Several NIS2 member state implementations require government contractors handling sensitive information to authenticate via national government identity schemes. SAML federation enables compliance while maintaining SSO usability.

Integration#

Available via GraphQL: 

samlProviders
, 
samlProviderStats
(queries); 
syncSamlProvider
, 
fetchSamlProviderMetadata
(mutations). All operations require authentication and organisation scoping.

Works alongside Keycloak IDM (Keycloak can act as a SAML IdP or broker external SAML IdPs), Zitadel IAM (OIDC alternative for cloud-native IdPs), and SCIM Provisioning (complements SAML authentication with automated user lifecycle). SAML handles who you are; SCIM handles account creation and removal.

Last Reviewed: 2026-03-18