SAML/OpenID Connect configuration information
Here you will find configuration information for SAML2 and OpenID Connect that you will need to configure your application.
Where can I find SAML2 metadata?
We have 2 implementations for SAML2 services one for use with services that authenticate through SWAMID and one for cloud services that directly authenticate with KTH.
For services that authenticate through SWAMID can use the following metadata url:
| Environment | Metadata URL |
|---|---|
| Production | https://saml.sys.kth.se/idp/shibboleth |
If you are going to use SAML2 to authenticate directly with KTH through our ADFS implementation, the metadata is available at the following url's:
| Environment | Metadata URL |
|---|---|
| Production | https://login.ug.kth.se/federationmetadata/2007-06/federationmetadata.xml |
| Reference | https://login.ref.ug.kth.se/federationmetadata/2007-06/federationmetadata.xml |
OpenID Connect configuration information
You can find all the configuration information about OpenID Connect uri:s and metadata at the following links:
| Environment | OIDC configuration URL |
|---|---|
| Production | https://login.ug.kth.se/adfs/.well-known/openid-configuration |
| Reference | https://login.ref.ug.kth.se/adfs/.well-known/openid-configuration |
What OpenID scopes are supported
We support a few scopes in our OpenID implementation, but the scope openid should be used by applications. Important to know that in some libraries the openid scope may not work, in those cases use the allatclaims scope instead.
OpenID Connect attribute names for the different attributes that will be sent by the service for the different information classes.
Please have in mind the following things:
- Information class 2 also contains the information from class 1
- Information class 3 also contains the information from infoclass 1 and 2
- The memberof attribute is filtered and does not contain all the groups a user have in UG
- Some of the attributes will need to be decoded from base64
Attribut name |
Attribute |
Information class |
|---|---|---|
| kthid | kthid | 1 |
| username | username | 1 |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | displayName | 2 |
| affiliation | affiliation | 2 |
| 2 | ||
| memberOf | memberOf | 3 |
FAQ
Question: Can i use the /adfs/userinfo endpoint in my application?
Answer: You should not use the userinfo endpoint as it will not provide you with additional claims to an application. If you use it in your application you will get an 401. Our recommendation is not using this endpoint.
Question: Who can use the OpenID/OATH2/SAML2 solution?
Answer: The central loginservice are only available to central services that are provided by KTH and to services that are related to KTH's education.
Question: Can a student use the central loginservice for their student projects?
Answer: Students cannot use the service for students projects.
Question: Can external services use the service?
Answer: Only external services that are provided by KTH are able to use the login service.