Generic SAML 2.0 IdP as a Hub federation member

What this enables

Any SAML 2.0 IdP — corporate ADFS, in-house identity stack, niche enterprise IdPs that haven't moved to OIDC — federates with Hub. Hub speaks SAML to the IdP and OIDC to your app, transparently.

Prereqs

• IdP metadata XML (or its URL)
• IdP-side admin access to register Hub as a SAML SP

Step 1 — In the IdP

Register a SAML 2.0 SP with these properties:

Step 2 — In Thoryn

id: generic-saml
name: "Customer SAML IdP"
type: saml
metadata_url: https://idp.customer.example/metadata.xml   # or paste the XML inline
sp_entity_id: https://hub.thoryn.org
acs_url: https://hub.thoryn.org/login/saml2/sso/generic-saml
sign_authn_request: true
require_signed_assertion: true
claim_mappings:
  sub: NameID
  email: email
  given_name: firstName
  family_name: lastName
  groups: memberOf            # if the IdP exposes group membership

Step 3 — Test

Initiate a login. Hub redirects to the IdP; the IdP authenticates; the user lands in your app with the mapped claims. SAML assertions must be signed; Hub rejects unsigned assertions by default.

Troubleshooting

• Clock skew: SAML assertions are time-sensitive. Hub allows ±5 minutes by default; if your IdP has bad clock sync, increase clock_skew_seconds.
• Group claim format varies wildly: ADFS sends http://schemas.xmlsoap.org/claims/Group; some IdPs send memberOf; some send a comma-separated string. Adjust claim_mappings.groups to whatever the IdP actually sends.
• Signing-algorithm mismatch: SHA-1 is deprecated; insist on SHA-256 in the SP config.

See also

• Hub — How it works
• generic-oidc — if the IdP supports OIDC, prefer that