In a SAML 2.0 federation, the single sign-on service URL
can be initiated at the identity provider server site or the service
provider site. This topic describes the syntax for initiating the
service at the identity provider.
Syntax for initiating single sign-on at the identity
provider
https://provider_hostname:port_number/sps/
federation_name/saml20/logininitial?RequestBinding=RequestBindingType&
PartnerId=target_partner_provider_ID
&NameIdFormat=NameIDFormatType&AllowCreate=[true|false]
&Target=target_application_location
Elements
- https or http
- The URI scheme. Use https for resources
that are protected by secure sockets layer (SSL). Use http for
resources that are not protected by SSL.
- provider_hostname
- The point of contact server host name of the provider.
- port_number
- The port number of the inter-site transfer service endpoint. The
default value is 9443.
- sps
- The designation for the Tivoli® Federated
Identity Manager Server. This element
cannot be changed.
- federation_name
- The name you assign to the federation when you create it.
- saml20
- The designation of SAML 2.0.
- logininitial
- This element indicates what type of endpoint is using the port. logininital is
used to initiate the single sign-on service.
- Target
- This element is URL-encoded and set as the value of the RelayState parameter
in the unsolicited response delivered by the identity provider to
the service provider. A Tivoli Federated
Identity Manager Service Provider interprets
this value as the URL of the application that a user can log on to
using single sign-on.
The URL must also contain the following
query strings:
- RequestBinding
- The binding that is used to send the response to the service provider.
The valid values when initiating single sign-on at the identity provider
are:
- PartnerId
- The provider ID of the target partner.
- NameIdFormat
- The name ID format that is to be used for name identifiers. Valid
values are:
- Transient (anonymous)
- Persistent
- Encrypted (for encrypted name IDs)
- Email
Persistent is the default setting. If the NameIdFormat attribute
is not included, a persistent name ID is used.
- AllowCreate
- Indicates whether to do a new persistent account
linkage upon request. The default value is False.
Note: You must set NameIdFormat to
Persistent to use this parameter.
- AttributeConsumerSvcIndex
- Specifies the index of the set of attributes to return. This attribute
does not correspond to any configuration. Administrators can use AttributeConsumerSvcIndex to
select which user identity attributes to include in the user token
during the identity mapping phase.
This attribute is supported on
both the Identity Provider and Service Provider.
- AssertionConsumerSvcIndex
- Specifies the index of the Assertion Consumer Service URL where
the Identity Provider sends the response. The value must correspond
to the endpoint in the Service Provider metadata.
This attribute
is supported on both the Identity Provider and Service Provider.
Note: In
case ResponseBinding and AssertionConsumerSvcIndex are
specified, the latter takes precedence.
Example
- Single sign-on URL when initiated at identity provider:
- The following example shows the single sign-on URL when initiated
at an identity provider, using the SAML 2.0 protocol. AssertionConsumerSvcIndex refers
to the index of the ACS URL to send the response. AttributeConsumerServiceIndex refers
to the index or set of attributes to return.
https://ip/FIM/sps/
saml20/saml20/logininitial?
RequestBinding=HTTPArtifact&
NameIdFormat=persistent&
AllowCreate=true&
AssertionConsumerSvcIndex=0&
AttributeConsumerSvcIndex=1&
PartnerId=https://sp/FIM/sps/saml20/saml20&
Target=https://sp.example.com:9443/banking