Limitations of SAML in the Loginapp REST API

The following limitations apply to the SAML IDP and SP implementation:

Topic

Details

forceAuthn flag

If the SAML AuthnRequest contains the flag forceAuthn, an existing user session is terminated and the user has to fully authenticate.

AuthnRequest flags

The following flags in the AuthnRequest are ignored: isPassive, allowCreate.

No multi IDP

An Airlock IAM instance cannot host multiple SAML IDPs (each with a different configuration). Not even using configuration context.

Configuration contexts

The SAML IDP must be configured in the default configuration context.

SP-initiated SLO

In SP-initiated SLO (single logout), the first LogoutRequest to the IDP defines the binding (redirect or POST) for all SPs.

IDP-initiated SLO

In IDP-initiated SLO (single logout), the binding (redirect or POST) for all SPs is defined by the IDP.