Skip to main content

SAML/OpenID Connect configuration information

Here you will find configuration information for SAML2 and OpenID Connect that you will need to configure your application.

Where can I find SAML2 metadata?

We have 2 implementations for SAML2 services one for use with services that authenticate through SWAMID and one for cloud services that directly authenticate with KTH.

For services that authenticate through SWAMID can use the following metadata url:

Environment Metadata URL
Production https://​saml.sys.kth.se/idp/shibboleth


If you are going to use SAML2 to authenticate directly with KTH through our ADFS implementation, the metadata is available at the following url's:

Environment Metadata URL
Production

https://login.ug.kth.se/federationmetadata/2007-06/federationmetadata.xml

Reference https://​login.ref.ug.kth.se/federationmetadata/2007-06/federationmetadata.xml​

OpenID Connect configuration information

You can find all the configuration information about OpenID Connect uri:s and metadata at the following links:  

Environment OIDC configuration URL
Production

https://​login.ug.kth.se/adfs/.well-known/openid-configuration​

Reference https://​login.ref.ug.kth.se/adfs/.well-known/openid-configuration​

What OpenID scopes are supported

We support a few scopes in our OpenID implementation, but the scope openid should be used by applications. 

OpenID Connect attribute names for the different attributes that will be sent by the service for the different information classes.

Please have in mind the following things: 

  1. Information class 2 also contains the information from class 1
  2. Information class 3 also contains the information from infoclass 1 and 2
  3. The memberof attribute is filtered and does not contain all the groups a user have in UG
  4. Some of the attributes will need to be decoded from base64

Attribut name

Attribute

Information class
kthid kthid 1
username username 1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name displayName 2
affiliation affiliation 2
email email 2
memberOf memberOf

3

FAQ

Question: Can i use the /adfs/userinfo endpoint in my application?
Answer: You should not use the userinfo endpoint as it will not provide you with additional claims to an application. If you use it in your application you will get an 401. Our recommendation is not using this endpoint.

Did you find this page useful?
Thank you for helping us!
Page responsible:it-support@kth.se
Belongs to: KTH Intranet
Last changed: Jun 15, 2021