SAML Configuration for OpenFlow


We’re attempting to configuration SAML Authentication on our POC Install of OpenFlow and we’re having a bit of confusion about what values go where. Specifically we’re trying to figure out what value would go in ID and what value goes in issuer. We have the FederationMetaData file and tried to follow the previous post, but are still missing something.

Is there any help you can give us to point us in the right direction (where each value is derived or is in the FederationMetaData file)?


I am going to assume you want to login using your saml server ?
so, the below is assuming you are adding a new provider in openflow

When adding a SAML provider, openflow becomes a Relying Party and the config you are adding is pointing to a Identity Provider or Secure Token Server ( like adfs )
typically an STS will have one generic FederationMetadata url with information about what services, claims etc it’s exposing and what signing certificate(s) are used to prove a token was issued by the server.

name: what is label on the button
id: used in the URL and therefore also in authentication url’s.
issuer: typically an URI of the ws-federation server you are trying to add ( you can also find this value in your FederationMetadata from your ws-federation server )
metadataurl: url to the FederationMetadata.xml file. When openflow load’s the provider, it will make a get request to that url, and use the information inside it to configure it self, most importantly get the signing certificate(s).

once you click save, and edit the new provider, at the bottom you will find a FederationMetadata url you can use inside your ws-federation server to “pull” openflow config. This is needed for the ws-federation server to 1) know the url’s 2) know what certificate to use when signing proof token.

Each Relying Party will sometimes have an unique FederationMetadata exposing information about wanted and needed claims, encryption and signing certificates and endpoints. If not, you will need to enter this information manually into the STS.

very over simplified:


  • First you add a provider to openflow and copy the FederationMetadata url.
  • Then you create openflow as an relying party in your STS using the FederationMetadata url.
  • If you have made edit’s to the provider it might be a good idea to restart openflow, since “hot” reloading of providers is not fully implemented.


  • When you want to login using your new provider, you click the button this redirects you to /id-from-provider
  • This create a token request, signed by openflow and make your browser post this to your STS.
  • Your STS makes you signin somehow if not already signed in and then issues a TokenResponse signed with it’s certificate, and make you browser post that back to openflow.
  • If openflow successfully validates the token response, you are signed and redirected back to your last URL.

OpenFlow can also act as an STS, using either ws-federation or openid connect.
for instance NodeRED was using ws-federation before 1.5 and is using openid connect now.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.