SAML 2.0 profile initial URLs

In a federated environment, specially formed URLs can be used for user-initiated single sign-on actions. You can initiate a single sign-on flow from the service provider or identity provider.

The following profile initial URLs are supported in a Security Access Manager environment:

Assertion consumer service initial URL (SP)
Initiate the single sign-on flow at the service provider. The unauth ACL must be attached to this URL. The syntax of the URL is:
https://isam_hostname:port_number/junction_name/sps
  /federation_name/saml20/logininitial
  ?RequestBinding=RequestBindingType
  &ResponseBinding=ResponseBindingType
  &NameIdFormat=NameIDFormatType
  &IsPassive=IsPassiveValue  
  &IncludeIsPassive=IncludeIsPassiveValue
  &ForceAuthn=ForceAuthnValue
  &IncludeForceAuthn=IncludeForceAuthnValue
  &AllowCreate=AllowCreateValue
  &IncludeAllowCreate=IncludeAllowCreateValue
  &AuthnContextClassRef=ClassRefValues
  &AuthnContextDeclRef=DeclarationRefValues
  &AuthnContextComparison=AuthnContectComparisonValue
  &Target=target_application_location
Where:
isam_hostname
The host name of the reverse proxy server for the service provider.
port_number
The port number of the reverse proxy server.
junction_name
The name of the junction created on the reverse proxy server.
federation_name
The name you assigned to the federation when you created it.
RequestBindingType
The binding that is used to send the request. The valid values when initiating single sign-on at the service provider are:
  • HTTPPost
  • HTTPRedirect
  • HTTPArtifact
ResponseBindingType
The binding that is used by the responder to return the response. The valid values when initiating single sign-on at the service provider are:
  • HTTPPost
  • HTTPArtifact
NameIdFormatType
The name ID format to use for name identifiers. Valid values are:
  • Transient (anonymous)
  • Persistent
  • Email
IsPassiveValue

Specifies if the identity provider must take control of the user agent. A value of true means that the identity provider is not permitted to request the user to provide log in credentials. The default value is false.

IncludeIsPassiveValue
Specifies whether to include the IsPassive attribute in the SAML authentication request. The value of the IsPassive attribute is taken from the IsPassive query string parameter. A value of true includes the attribute. The default value is true.
ForceAuthnValue
Specifies if the identity provider authenticates the user. A value of true means that the user must be authenticated. The default value is false.
IncludeForceAuthnValue
Specifies whether to include the ForceAuthn attribute in the SAML authentication request. The value of the ForceAuthn attribute is taken from the ForceAuthn query string parameter.A value of true includes the attribute. The default value is true.
AllowCreateValue
Specifies if new persistent account linkage is performed on the request. The default value is true. To use this parameter, the NameIdFormat must be set to Persistent.
IncludeAllowCreateValue
Specifies whether to include the AllowCreate attribute in the SAML authentication request. The value of the AllowCreate attribute is taken from the AllowCreate query string parameter. A value of true includes the attribute. The default value is true.
ClassRefValues
Specifies one or more string values which identify authentication context class URI references.
DeclarationRefValues
Specifies one or more string values which identify authentication context declaration URI references.
AuthnContectComparisonValue
Specifies the type of comparison used to determine the requested context classes or declarations. The comparison type must be one of the following variables:
  • exact
  • minimum
  • maximum
  • better
The default value is exact.
target_application_location
The URL of the application that a user can log on to using single sign-on.
Example:
Single sign-on URL when initiated at the service provider:
https://sp.example.com:433/samlsp/sps/spfed/saml20/logininitial
  ?RequestBinding=HTTPPost
  &ResponseBinding=HTTPPost
  &NameIdFormat=Email
  &IsPassive=true
  &ForceAuthn=false
  &Target=https://sp.example.com:433/samlsp/banking
Single sign-on service initial URL (IP)
Initiate the single sign-on flow at the identity provider. The unauth ACL must be attached to this URL. The syntax of the URL is:
https://isam_hostname:port_number/junction_name/sps
  /federation_name/saml20/logininitial
  ?RequestBinding=RequestBindingType
  &PartnerId=target_partner_provider_ID
  &NameIdFormat=NameIDFormatType
  &AllowCreate=AllowCreateValue
  &Target=target_application_location
Where:
isam_hostname
The host name of the reverse proxy server for the identity provider.
port_number
The port number of the reverse proxy server.
junction_name
The name of the junction created on the reverse proxy server.
federation_name
The name you assigned to the federation when you created it.
RequestBindingType
The binding that is used to send the request to the service provider. The valid values when initiating single sign-on at the identity provider are:
  • HTTPPost
  • HTTPArtifact
target_partner_provider_ID
The provider ID of the target partner.
NameIdFormatType
The name ID format to use for name identifiers. Valid values are:
  • Transient (anonymous)
  • Persistent
  • Email
AllowCreateValue
Specifies if new persistent account linkage is performed on the request. The default value is false.
target_application_location
This element is URL-encoded and set as the value of the RelayState parameter in the unsolicited response delivered by the identity provider to the service provider. A service provider interprets this value as the URL of the application that a user can log on to using single sign-on.
Example:
Single sign-on URL when initiated at the identity provider:
https://idp.example.com:433/samlip/sps/saml20/saml20/logininitial
  ?RequestBinding=HTTPPost
  &NameIdFormat=persistent
  &AllowCreate=true
  &PartnerId=https://sp.example.com:433/samlsp/sps/saml20/saml20
  &Target=https://sp.example.com:9443/banking
Single logout service initial URL (IP or SP)
Initiate the SLO flow at either the identity provider or service provider. The unauth ACL must be attached to this URL. The syntax of the URL is:
https://isam_hostname:port_number/junction_name/sps
  /federation_name/saml20/sloinitial
  ?RequestBinding=RequestBindingType
Where:
isam_hostname
The host name of the reverse proxy server for the identity provider or service provider.
port_number
The port number of the reverse proxy server.
junction_name
The name of the junction created on the reverse proxy server.
federation_name
The name you assigned to the federation when you created it.
RequestBindingType
The binding that is used to send the request. The valid values are:
  • HTTPPost
  • HTTPRedirect
  • HTTPArtifact
  • HTTPSOAP
Examples:
Single logout URL when initiated at the service provider:
https://sp.example.com:433/samlsp/sps/spfed/saml20/sloinitial
  ?RequestBinding=HTTPRedirect
Single logout URL when initiated at the identity provider:
https://idp.example.com:433/samlip/sps/ipfed/saml20/sloinitial
  ?RequestBinding=HTTPPost
Name identifier management service initial URL (IP or SP)
Used by the partner to contact the name identifier management server. The anyauth ACL must be attached to this URL. The syntax of the URL is:
https://isam_hostname:port_number/junction_name/sps
  /federation_name/saml20/mnidsinitial
  ?RequestBinding=RequestBindingType
  &PartnerId=target_partner_provider_ID
  &NameIdTerminate=name_ID_terminate_value
Where:
isam_hostname
The host name of the reverse proxy server for the identity provider or service provider.
port_number
The port number of the reverse proxy server.
junction_name
The name of the junction created on the reverse proxy server.
federation_name
The name you assigned to the federation when you created it.
RequestBindingType
The binding that is used to send the request. The valid values are:
  • HTTPPost
  • HTTPRedirect
  • HTTPArtifact
  • HTTPSOAP
target_partner_provider_ID
The provider ID of the target partner.
name_ID_terminate_value
A value that indicates if the name ID management flow must terminate the name ID mapping. Valid values are:
  • True: Ends the account linkage.
  • False: Indicates that the name ID flow updates the name identifiers (aliases). False is the default, if you do not explicitly specify a value.
Examples:
Name ID management initiated by the identity provider:
https://idp.example.com:443/samlip/sps/ipfed/saml20/mnidsinitial
  ?RequestBinding=HTTPSOAP
  &PartnerId=https://sp.example.com:443/samlsp/sps/spfed/saml20
  &NameIdTerminate=true
Name ID management initiated by the service provider:
https://sp.example.com:443/samlsp/sps/spfed/saml20/mnidsinitial
  ?RequestBinding=HTTPArtifact
  &PartnerId=https://idp.example.com:443/samlip/sps/ipfed/saml20
  &NameIdTerminate=true