Parse external IdP metadata

Available in Classic and VPC

Parse external SAML IdP metadata.

Request

This section describes the request format. The method and URI are as follows:

Method	URI
POST	/api/v1/tenant/saml-idp/metadata-parsing

Request headers

For information about the headers common to all Ncloud Single Sign-On APIs, see Ncloud Single Sign-On request headers.

Request body

You can include the following data in the body of your request:

Field	Type	Required	Description
`EntityDescriptor.xmlns:md`	String	Required	XML namespace information `urn:oasis:names:tc:SAML:2.0:metadata` (valid value)
`EntityDescriptor.entityID`	String	Required	IdP entity's unique identifier
`EntityDescriptor.IDPSSODescriptor.WantAuthnRequestsSigned`	Boolean	Optional	Whether to sign AuthnRequest `true` \| `false` `true`: sign `false`: not sign
`EntityDescriptor.IDPSSODescriptor.protocolSupportEnumeration`	String	Required	Supported protocol `urn:oasis:names:tc:SAML:2.0:protocol` (valid value)
`EntityDescriptor.IDPSSODescriptor.KeyDescriptor.use`	String	Required	Certificate purpose `signing` (valid value)
`EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.xmlns:ds`	String	Required	KeyInfo namespace information `http://www.w3.org/2000/09/xmldsig#` (valid value)
`EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate`	String	Required	X.509 certificate for IdP signing
`EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Binding`	String	Required	Protocol binding information for SAML login `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST` \| `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect` `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST`: HTTP-POST method `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`: HTTP-Redirect method
`EntityDescriptor.IDPSSODescriptor.SingleSignOnService.Location`	String	Required	SAML login URL mapped to the binding protocol

Request example

The request example is as follows:

curl --location --request POST 'https://sso.apigw.ntruss.com/api/v1/tenant/saml-idp/metadata-parsing' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/xml' \
--data '<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MII******************vkhgLE=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.ap-southeast-2.amazonaws.com/saml/logout/MDUwNzUy****************************ZTU0NTkx"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.ap-southeast-2.amazonaws.com/saml/logout/MDUwNzUy****************************ZTU0NTkx"/>
    <md:NameIDFormat/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>'

Response

This section describes the response format.

Response body

The response body includes the following data:

Field	Type	Required	Description
`signRequest`	Boolean	-	Whether to sign AuthnRequest `true` \| `false` `true`: sign `false`: not sign
`providerId`	String	-	IdP's unique identifier
`idpSigninUrl`	String	-	Login URL of the IdP to which the user is redirected when logging in through SSO
`idpIssuerUrl`	String	-	URL used as the issuer in SAML response
`idpCert`	String	-	Public certificate of the IdP used to verify the signature of the SAML response (deprecated)
`idpCerts`	String	-	List of public certificates of the IdP used to verify the signature of the SAML response
`signRequestAlgorithm`	String	-	Hash algorithm used to sign SAML requests Displayed when `signRequest` is `true` `SHA-1` \| `SHA-256` `SHA-1`: SHA-1 hash algorithm `SHA-256`: SHA-256 hash algorithm
`signResponseAlgorithm`	String	-	Hash algorithm used to sign SAML requests `SHA-1` \| `SHA-256` `SHA-1`: SHA-1 hash algorithm `SHA-256`: SHA-256 hash algorithm
`protocolBinding`	String	-	Protocol binding used when sending SAML requests and responses `HTTP-POST` \| `HTTP-REDIRECT` `HTTP-POST`: Method of sending a SAML message by including it in the body of an HTTP-POST request `HTTP-REDIRECT`: Method of sending a SAML message as a URL query parameter via an HTTP-GET request

Response status codes

For information about the response status codes common to all Ncloud Single Sign-On APIs, see Ncloud Single Sign-On response status codes.

Response example

The response example is as follows:

{
    "signRequest": false,
    "idpSigninUrl": "https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx",
    "idpIssuerUrl": "https://portal.sso.ap-southeast-2.amazonaws.com/saml/assertion/MDUwNzUy****************************ZTU0NTkx",
    "idpCerts": ["MII******************vkhgLE="],
    "signResponseAlgorithm": "SHA-256",
    "protocolBinding": "HTTP-POST"
}

Documentation Index