Skip to main content
To KTH's start page

SAML/OpenID Connect configuration information

Here you will find configuration information for SAML2 and OpenID Connect that you will need to configure your application.

Where can I find SAML2 metadata?

We have 2 implementations for SAML2 services one for use with services that authenticate through SWAMID and one for cloud services that directly authenticate with KTH.

For services that authenticate through SWAMID can use the following metadata url:

Environment Metadata URL
Production https://​saml.sys.kth.se/idp/shibboleth


If you are going to use SAML2 to authenticate directly with KTH through our ADFS implementation, the metadata is available at the following url's:

Environment Metadata URL
Production

https://login.ug.kth.se/federationmetadata/2007-06/federationmetadata.xml

Reference https://​login.ref.ug.kth.se/federationmetadata/2007-06/federationmetadata.xml​

OpenID Connect configuration information

You can find all the configuration information about OpenID Connect uri:s and metadata at the following links:  

Environment OIDC configuration URL
Production

https://​login.ug.kth.se/adfs/.well-known/openid-configuration​

Reference https://​login.ref.ug.kth.se/adfs/.well-known/openid-configuration​

What OpenID scopes are supported

We support a few scopes in our OpenID implementation, but the scope openid should be used by applications. Important to know that in some libraries the openid scope may not work, in those cases use the allatclaims scope instead.

OpenID Connect attribute names for the different attributes that will be sent by the service for the different information classes.

Please have in mind the following things: 

  1. Information class 2 also contains the information from class 1
  2. Information class 3 also contains the information from infoclass 1 and 2
  3. The memberof attribute is filtered and does not contain all the groups a user have in UG
  4. Some of the attributes will need to be decoded from base64

Attribut name

Attribute

Information class
kthid kthid 1
username username 1
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name displayName 2
affiliation affiliation 2
email email 2
memberOf memberOf

3

FAQ

Question: Can i use the /adfs/userinfo endpoint in my application?
Answer: You should not use the userinfo endpoint as it will not provide you with additional claims to an application. If you use it in your application you will get an 401. Our recommendation is not using this endpoint.

Question: Who can use the OpenID/OATH2/SAML2 solution?
Answer: The central loginservice are only available to central services that are provided by KTH and to services that are related to KTH's education.

Question: Can a student use the central loginservice for their student projects?
Answer: Students cannot use the service for students projects.

Question: Can external services use the service?
Answer: Only external services that are provided by KTH are able to use the login service.