Parse external IdP metadata

Prev Next

Available in Classic and VPC

Parse external SAML IdP metadata.

Request

This section describes the request format. The method and URI are as follows:

Method URI
POST /api/v1/tenant/saml-idp/metadata-parsing

Request headers

For information about the headers common to all Ncloud Single Sign-On APIs, see Ncloud Single Sign-On request headers.

Request body

You can include the following data in the body of your request:

Field Type Required Description
EntityDescriptor.xmlns:md String Required XML namespace information
  • urn:oasis:names:tc:SAML:2.0:metadata (valid value)
EntityDescriptor.entityID String Required IdP entity's unique identifier
EntityDescriptor.IDPSSODescriptor.WantAuthnRequestsSigned Boolean Optional Whether to sign AuthnRequest
  • true | false
    • true: sign
    • false: not sign
EntityDescriptor.IDPSSODescriptor.protocolSupportEnumeration String Required Supported protocol
  • urn:oasis:names:tc:SAML:2.0:protocol (valid value)
EntityDescriptor.IDPSSODescriptor.KeyDescriptor.use String Required Certificate purpose
  • signing (valid value)
EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.xmlns:ds String Required KeyInfo namespace information
  • http://www.w3.org/2000/09/xmldsig# (valid value)
EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate String Required X.509 certificate for IdP signing
EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Binding String Required Protocol binding information for SAML login
  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST: HTTP-POST method
    • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect: HTTP-Redirect method
EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Location String Required SAML login URL mapped to the binding protocol

Request example

The request example is as follows:

curl --location --request POST 'https://sso.apigw.ntruss.com/api/v1/tenant/saml-idp/metadata-parsing' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/xml' \
--data '<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MII******************vkhgLE=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.ap-southeast-2.amazonaws.com/saml/logout/MDUwNzUy****************************ZTU0NTkx"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.ap-southeast-2.amazonaws.com/saml/logout/MDUwNzUy****************************ZTU0NTkx"/>
    <md:NameIDFormat/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>'

Response

This section describes the response format.

Response body

The response body includes the following data:

Field Type Required Description
signRequest Boolean - Whether to sign AuthnRequest
  • true | false
    • true: sign
    • false: not sign
providerId String - IdP's unique identifier
idpSigninUrl String - Login URL of the IdP to which the user is redirected when logging in through SSO
idpIssuerUrl String - URL used as the issuer in SAML response
idpCert String - Public certificate of the IdP used to verify the signature of the SAML response (deprecated)
idpCerts String - List of public certificates of the IdP used to verify the signature of the SAML response
signRequestAlgorithm String - Hash algorithm used to sign SAML requests
  • Displayed when signRequest is true
  • SHA-1 | SHA-256
    • SHA-1: SHA-1 hash algorithm
    • SHA-256: SHA-256 hash algorithm
signResponseAlgorithm String - Hash algorithm used to sign SAML requests
  • SHA-1 | SHA-256
    • SHA-1: SHA-1 hash algorithm
    • SHA-256: SHA-256 hash algorithm
protocolBinding String - Protocol binding used when sending SAML requests and responses
  • HTTP-POST | HTTP-REDIRECT
    • HTTP-POST: Method of sending a SAML message by including it in the body of an HTTP-POST request
    • HTTP-REDIRECT: Method of sending a SAML message as a URL query parameter via an HTTP-GET request

Response status codes

For information about the response status codes common to all Ncloud Single Sign-On APIs, see Ncloud Single Sign-On response status codes.

Response example

The response example is as follows:

{
    "signRequest": false,
    "idpSigninUrl": "https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx",
    "idpIssuerUrl": "https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx",
    "idpCerts": ["MII******************vkhgLE="],
    "signResponseAlgorithm": "SHA-256",
    "protocolBinding": "HTTP-POST"
}