Merge pull request #396 from kinde-oss/Feat/ACS-URL-signing-algorithm-binding

Feat/acs url signing algorithm binding
PR 393 as approve. This is an exact replica

Author: clairekinde11

src/content/docs/authenticate/auth-guides/pass-params-idp.mdx

@@ -15,11 +15,11 @@ There's a number of reason why you might want to use upstream params:
 - to create a smoother sign in experience - by passing the email through
 - to offer an account switcher (such as the Google account switcher) during sign in
 
+Upstream params are available for OAuth 2.0 connections, e.g. [social connections](/authenticate/social-sign-in/add-social-sign-in/), [Entra ID OAuth 2.0 enterprise connection](/authenticate/enterprise-connections/azure/), and as part of [advanced configurations](/authenticate/enterprise-connections/advanced-saml-configurations/) in SAML connections. 
+
 ## Limitations
 
-- Each IDP has their own set of supported parameters and values, so you'll need to check their documentation to determine which URL parameters are supported.
-- Applies only to OAuth 2.0 connections, e.g. [social connections](/authenticate/social-sign-in/add-social-sign-in/) and [Entra ID OAuth 2.0 enterprise connection](/authenticate/enterprise-connections/azure/).
-- SAML IdPs do not support upstream parameters.
+Every identity provider has their own set of supported parameters and values, so you'll need to check their documentation to determine which URL parameters are supported.
 
 ## Static parameters
 

src/content/docs/authenticate/enterprise-connections/advanced-saml-configurations.mdx

@@ -0,0 +1,67 @@
+---
+page_id: 17559023-5b50-4690-ba7b-fd1df4b78664
+title: Advanced SAML configurations
+sidebar:
+  order: 13
+relatedArticles:
+  - fcf28a71-c3a8-4474-9564-ad089d3f2105  
+  - 98f6868a-7871-4ece-ba9c-2a7b21d1b322
+  - e100d77b-530b-4327-8216-93c955657e0c
+  - cc242fb3-4b06-4842-97c8-dd58e87308df
+---
+
+When you set up a SAML connection, you might need to include advanced configurations to meet identity provider requirements, and to get the connection running properly and securely.
+
+Here's some of the advanced options you will come across when setting up a connection. 
+
+## Name ID
+
+Name ID (Name Identifier) is a key element in a SAML assertion that uniquely identifies the user (subject) within a given SAML context. It is included in the `Subject` element of the SAML assertion and is critical for identifying and linking user identities between your Identity Provider (IdP) and Kinde.
+
+Available Name ID formats:
+- **Unspecified**: No particular format is required
+- **EmailAddress**: A user is identified by their email address
+- **Persistent**: A stable, opaque identifier intended to remain consistent across sessions
+- **Transient**: A short-lived identifier, often used in single sign-on (SSO) scenarios for one-time use
+
+The Name ID you select in Kinde must be supported and configured in your IdP.
+
+## Sign request algorithm
+
+The Sign Request Algorithm defines the cryptographic algorithm used to sign SAML requests (AuthnRequest). Signing ensures the authenticity and integrity of SAML messages.
+
+Available algorithms:
+- **RSA-SHA256**: A commonly used and secure option.
+- **RSA-SHA1**: Older and less secure; often deprecated.
+
+Secure configurations favor SHA256 or stronger algorithms to protect against vulnerabilities.
+
+## Protocol binding
+
+Protocol Binding refers to the transport mechanism used to send the SAML authentication request from Kinde to your IdP.
+
+Common Binding Types:
+- **HTTP Redirect Binding**: The SAML request is sent as a URL parameter using a GET request. It is lightweight but limited in message size.
+- **HTTP POST Binding**: The SAML request is sent via an HTML form using the POST method. It supports larger payloads and is commonly used for transmitting signed requests.
+
+The choice of binding affects security, performance, and compatibility. POST Binding is generally preferred for secure communications due to its ability to handle signed messages and larger payloads.
+
+## Key attributes
+
+Key Attributes are additional pieces of information about the user that come from your IdP to Kinde. These attributes provide more context about the authenticated user and are often used for access control or personalization.
+
+Kinde-supported key attributes:
+
+- Email Address: The user’s email, often used for identification or communication.
+- First Name / Last Name: Used for personalization or internal system mapping.
+- User ID: The attribute in the SAML token that contains the user ID.
+
+Only configure key attributes if supported by your IdP.
+
+## Upstream parameters
+
+You can pass provider-specific parameters to an Identity Provider (IdP) during authentication. These are also known as 'upstream params'. The values your pass can either be static per connection or dynamic per user.
+
+You can use upstream paramsto create a smoother sign in experience - by passing the email through, or to offer an account switcher (such as the Google account switcher) during sign in.
+
+Note that every identity provider has their own set of supported parameters and values, so you'll need to check their documentation to determine which URL parameters are supported.

src/content/docs/authenticate/enterprise-connections/cloudflare-saml.mdx

@@ -4,17 +4,20 @@ title: Use Cloudflare as a SAML identity provider
 sidebar:
   order: 10
 relatedArticles:
+  - 17559023-5b50-4690-ba7b-fd1df4b78664
   - fcf28a71-c3a8-4474-9564-ad089d3f2105
   - e100d77b-530b-4327-8216-93c955657e0c	
   - 66b2a627-b24a-4ccf-a792-80a6a9fe35ef
-  - 0dfcab9d-8610-4881-9293-8501bd472041
-  - d894dd3c-356f-41b0-b510-c35066a2277d
 ---
 
 If you use Cloudflare to centralize authentication and authorization in your business, you can integrate Kinde as a service provider for these processes. This gives you the benefits of Kinde’s robust auth capabilities, while keeping the familiar Cloudflare structure.
 
 You need to set up an enterprise connection in Kinde for this, and add a Cloudflare application. We recommend setting up and testing the connection in a non-production environment before making available to users.
 
+## Advanced configurations
+
+Depending on your SAML set up, you may need to include advanced configurations for your connection. See [Advanced SAML configurations](/authenticate/enterprise-connections/advanced-saml-configurations/)
+
 ## Step 1: Add the connection in Kinde
 
 <Aside>
@@ -40,14 +43,37 @@ You can make a connection available only to a specific organization, or you can
 
 ## Step 2: Configure the connection
 
-1. Enter a random string value for Entity ID, for e.g. `870sa9fbasfasdas23aghkhc12zasfnasd`.
-2. Complete any optional fields you want, including key attributes. You'll add the IdP Metadata URL later. You only need to enter a **sign in URL** if your IdP requires a specific URL.
-3. Add **Home realm domains**. We recommend adding these to speed up the sign in process for users of those domains. Note that all home realm domains must be unique across all connections in an environment. For more information, see [Home realm domains or IdP discovery](/authenticate/enterprise-connections/home-realm-discovery/).
-4. If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the **Always show sign-in button** option.
-5. Copy the **Assertion Customer Service (ACS) URL** and the Entity ID somewhere you can access it later. You’ll need this to set up your Cloudflare application.
-6. Select provisioning options.
-7. Add a signed certificate and key if you have it. You can also do this later.
-8. Select **Save**. 
+1. Enter a name for the connection. It should match the connection name in Cloudflare.
+2. Enter a random string value for Entity ID, for e.g. `870sa9fbasfasdas23aghkhc12zasfnasd`.
+3. Enter the **IdP metadata URL**. This URL comes from your identity provider.
+
+   ![optional fields for saml](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/4f1851db-5c34-496b-ced1-07c1cd272b00/public)
+
+4. Enter a **sign in URL** if your IdP requires a specific URL.
+5. If you want, select the **Sign request algorithm** and **Protocol binding**. The options you choose will depend on what your identity provider prefers or requires.
+6. Select a **Name ID** format. This helps identify and link user identities between your IdP and Kinde. 
+7. Enter an **Email key attribute**. This is the attribute in the SAML token that contains the user’s email. Setting this value ensures that the email address returned in the SAML response is correctly retrieved. We do not recommend leaving this field blank, but if you do we will set ‘email’ as the attribute.
+8. (Optional) Add a first name and last name key attribute.
+
+   ![Home realm domains in SAML configuration](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/dbdccca5-2e6c-4dd8-eaec-e029574daf00/public)
+
+9. Enter any relevant **Home realm domains**. This is how SAML recognizes a user’s credentials and routes them to the correct sign in page. Note that home realm domains need to be unique across all connections in an environment. [Read more about home realm domains](/authenticate/enterprise-connections/home-realm-discovery/).
+10. If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the **Always show sign-in button** option. 
+
+    ![ACS URL and custom domain option](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/885eda9c-ca4f-4340-db17-224023b8c300/public)
+
+11. Copy the reply relevant URL: 
+    1. If you don't use a custom domain, copy the **Assertion customer service (ACS) URL**.
+    2. If you do use a custom domain, select the **Use custom domain instead** option and copy the custom domain URL. 
+    Later, add this URL to your identity provider configuration.
+12. If you want to enable just-in-time (JIT) provisioning for users, select the **Create a user record in Kinde** option. This saves time adding users manually or via API later.
+
+    ![Provisioning configuration for SAML](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/947baea7-bfd4-48b7-de2d-5b041b8c8300/public)
+
+13. (Temporary feature) Select if you want to treat this connection as a trusted provider. A [trusted provider](/authenticate/about-auth/identity-and-verification/) is one that guarantees the email they issue is verified.
+14. (Optional) In the **Sign SAML request** section, paste in the **Signed certificate** and **Private key**. You may have got these from your IdP or you may have generated yourself (see procedure above).
+15. Enter any [upstream params](/authenticate/enterprise-connections/advanced-saml-configurations/#upstream-parameters) that you want to pass to the identity provider. Not all providers support this, so check their documentation first.
+16. Select **Save**.
 
 ## Step 3: Add and configure your Cloudflare application
 
@@ -56,45 +82,21 @@ You can make a connection available only to a specific organization, or you can
 3. Go to **Access > Applications**, then select **Add an application**.
 4. Select SaaS as the type of application. The **Add application** window opens.
 
-<img
-  src="https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/7a600656-63c7-42a1-73c6-8780c6d4f400/public"
-  alt="Screen shot of Cloudlfare adding application"
-  width="672px"
-  height="auto"
-  fetchpriority="low"
-  loading="lazy"
-  decoding="async"
-/>
+   ![Application settings](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/7a600656-63c7-42a1-73c6-8780c6d4f400/public)
 
 5. Enter an application name or select an application.
 6. Choose **Select SAML** for the authentication protocol.
 7. Select **Add Application**. The **Configure application** page opens.
 
-<img
-  src="https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/64549f6e-4a94-41a0-7018-0fb7b7becf00/public"
-  alt="Screen shot of app config screen in Cloudflare"
-  width="672px"
-  height="auto"
-  fetchpriority="low"
-  loading="lazy"
-  decoding="async"
-/>
-
-6. Add the **Entity ID** and **ACS URL** from Kinde.
-7. Copy the **SAML Metadata endpoint** to your clipboard. You'll need to enter this back in Kinde.
-8. Scroll through the other sections and then select **Save configuration**. The **Add policies** page opens.
-9. Add a policy to define who can access your application. You might do this via an allowlist and groups, or other strategy.
-10. Complete any other relevant sections of the window, and then select **Done**.
-
-<img
-  src="https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/c11f72f1-22ff-428c-a7db-a13493ea5f00/public"
-  alt="Screen shot of Application list in Cloudflare"
-  width="672px"
-  height="auto"
-  fetchpriority="low"
-  loading="lazy"
-  decoding="async"
-/>
+   ![Configure application in Cloudflare](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/64549f6e-4a94-41a0-7018-0fb7b7becf00/public)
+
+7. Add the **Entity ID** and **ACS URL** from Kinde.
+8. Copy the **SAML Metadata endpoint** to your clipboard. You'll need to enter this back in Kinde.
+9. Scroll through the other sections and then select **Save configuration**. The **Add policies** page opens.
+10. Add a policy to define who can access your application. You might do this via an allowlist and groups, or other strategy.
+11. Complete any other relevant sections of the window, and then select **Done**.
+
+   ![Screen shot of Application list in Cloudflare](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/c11f72f1-22ff-428c-a7db-a13493ea5f00/public)
 
 ## Step 4: Finish setting up your Cloudflare connection
 

src/content/docs/authenticate/enterprise-connections/custom-saml-google-workspace.mdx

@@ -4,6 +4,7 @@ title: Custom SAML with Google Workspace
 sidebar:
   order: 9
 relatedArticles:
+  - 17559023-5b50-4690-ba7b-fd1df4b78664
   - fcf28a71-c3a8-4474-9564-ad089d3f2105  
   - 66b2a627-b24a-4ccf-a792-80a6a9fe35ef
   - e100d77b-530b-4327-8216-93c955657e0c
@@ -15,6 +16,10 @@ You can set up SAML to work with your Google Workspace.
 
 Google does not support hosting your SAML metadata XML file on their web services, but Kinde requires access to the file via URL so that certificates are always up to date. We recommend you host the file on a public web service that can be accessed by Kinde. For example, you could use an [AWS S3](https://aws.amazon.com/s3/) bucket, [Cloudflare R2](https://developers.cloudflare.com/r2/), or public website.
 
+## Advanced configurations
+
+Depending on your SAML set up, you may need to include advanced configurations for your connection. See [Advanced SAML configurations](/authenticate/enterprise-connections/advanced-saml-configurations/).
+
 ## Step 1: Add Google Workspace SAML in Kinde
 
 You can make a connection available only to a specific organization, or you can create it so it can be used across any organization in your business. 
@@ -42,16 +47,32 @@ You can make a connection available only to a specific organization, or you can
 
    ![connection window](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/4fa556a1-7f8e-4926-d7ef-a274409e7700/public)
 
-4. Complete any optional fields you want, including key attributes. You only need to enter a **sign in URL** if your IdP requires a specific URL.
-5. Enter Home realm domains. This speeds up the sign in process for users of those domains. Note that all home realm domains must be unique across all connections in an environment. For more information about how, see [Home realm domains or IdP discovery](/authenticate/enterprise-connections/home-realm-discovery/).
-6. If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the **Always show sign-in button** option.
-7. Scroll down and copy the **ACS URL**. Paste the URL somewhere you can access it later.
+4. Enter a **sign in URL** if your IdP requires a specific URL.
+5. If you want, select the **Sign request algorithm** and **Protocol binding**. The options you choose will depend on what your identity provider prefers or requires.
+6. Select a **Name ID** format. This helps identify and link user identities between your IdP and Kinde. 
+7. Enter an **Email key attribute**. This is the attribute in the SAML token that contains the user’s email. Setting this value ensures that the email address returned in the SAML response is correctly retrieved. We do not recommend leaving this field blank, but if you do we will set ‘email’ as the attribute.
+8. (Optional) Add a first name and last name key attribute.
+
+   ![Home realm domains in SAML configuration](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/dbdccca5-2e6c-4dd8-eaec-e029574daf00/public)
+
+9. Enter any relevant **Home realm domains**. This is how SAML recognizes a user’s credentials and routes them to the correct sign in page. Note that home realm domains need to be unique across all connections in an environment. [Read more about home realm domains](/authenticate/enterprise-connections/home-realm-discovery/).
+10. If you use home realm domains, the sign in button is hidden on the auth screen by default. To show the SSO button, select the **Always show sign-in button** option. 
+
+    ![ACS URL and custom domain option](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/885eda9c-ca4f-4340-db17-224023b8c300/public)
+
+11. Copy the reply relevant URL: 
+    1. If you don't use a custom domain, copy the **Assertion customer service (ACS) URL**.
+    2. If you do use a custom domain, select the **Use custom domain instead** option and copy the custom domain URL. 
+    Later, add this URL to your identity provider configuration.
+12. If you want to enable just-in-time (JIT) provisioning for users, select the **Create a user record in Kinde** option. This saves time adding users manually or via API later.
+
+    ![Provisioning configuration for SAML](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/947baea7-bfd4-48b7-de2d-5b041b8c8300/public)
 
-   ![ACS URL field in config](https://imagedelivery.net/skPPZTHzSlcslvHjesZQcQ/c2201994-75d8-44a9-1ced-d3890e359300/public)
+13. (Temporary feature) Select if you want to treat this connection as a trusted provider. A [trusted provider](/authenticate/about-auth/identity-and-verification/) is one that guarantees the email they issue is verified.
+14. (Optional) In the **Sign SAML request** section, paste in the **Signed certificate** and **Private key**. You may have got these from your IdP or you may have generated yourself (see procedure above).
+15. Enter any [upstream params](/authenticate/enterprise-connections/advanced-saml-configurations/#upstream-parameters) that you want to pass to the identity provider. Not all providers support this, so check their documentation first.
+16. Select **Save**.
 
-8. Select provisioning options.
-9. Add a signed certificate and key if you have it. You can also do this later.
-10. Select **Save**. We need to get some information from Google Workspace Console to complete these fields.
 
 ## Step 3: Configure Google Workspace Admin Console
 
@@ -97,14 +118,12 @@ As mentioned at the start, you need to upload the **metadata file** that you dow
 
 ## Step 5: Complete Kinde configuration
 
-1. In Kinde, go to **Settings > Authentication**.
-2. Scroll down to **Enterprise Connections.**
-3. On the **Google Workspace** tile, select **Configure.**
-4. In the **IdP metadata URL** field, paste the URL for the metadata file.
-5. Switch on the connection. This will make it instantly available to users if this is your production environment.
+1. Open the connection's configuration page in Kinde.
+2. In the **IdP metadata URL** field, paste the URL for the metadata file.
+3. Switch on the connection. This will make it instantly available to users if this is your production environment.
    1. For environment-level connections, scroll down and select the apps that will use the auth method.
    2. For organization-level connections, scroll down and select if you want to switch this on for the org. 
-6. Select **Save**.
+4. Select **Save**.
 
 ## Test the connection