SAML 2.0 profile initial URLs
In a federated environment, specially formed URLs can be used for user-initiated single sign-on actions. You can initiate a single sign-on flow from the service provider or identity provider.
The following profile initial URLs are supported in a Security Access Manager environment:
- Assertion consumer service
- Single sign-on service
- Single logout service
- Name identifier management service
- Assertion consumer service initial URL (SP)
- Initiate the single sign-on flow at the service provider. The unauth ACL must be attached to
this URL. The syntax of the URL is:
Where:https://isam_hostname:port_number/junction_name/sps /federation_name/saml20/logininitial ?RequestBinding=RequestBindingType &ResponseBinding=ResponseBindingType &NameIdFormat=NameIDFormatType &IsPassive=IsPassiveValue &IncludeIsPassive=IncludeIsPassiveValue &ForceAuthn=ForceAuthnValue &IncludeForceAuthn=IncludeForceAuthnValue &AllowCreate=AllowCreateValue &IncludeAllowCreate=IncludeAllowCreateValue &AuthnContextClassRef=ClassRefValues &AuthnContextDeclRef=DeclarationRefValues &AuthnContextComparison=AuthnContectComparisonValue &Target=target_application_location
- isam_hostname
- The host name of the reverse proxy server for the service provider.
- port_number
- The port number of the reverse proxy server.
- junction_name
- The name of the junction created on the reverse proxy server.
- federation_name
- The name you assigned to the federation when you created it.
- RequestBindingType
- The binding that is used to send the request. The valid values when initiating single sign-on at
the service provider are:
- HTTPPost
- HTTPRedirect
- HTTPArtifact
- ResponseBindingType
- The binding that is used by the responder to return the response. The valid values when
initiating single sign-on at the service provider are:
- HTTPPost
- HTTPArtifact
- NameIdFormatType
- The name ID format to use for name identifiers. Valid values are:
- Transient (anonymous)
- Persistent
- IsPassiveValue
-
Specifies if the identity provider must take control of the user agent. A value of true means that the identity provider is not permitted to request the user to provide log in credentials. The default value is false.
- IncludeIsPassiveValue
- Specifies whether to include the IsPassive attribute in the SAML authentication request. The value of the IsPassive attribute is taken from the IsPassive query string parameter. A value of true includes the attribute. The default value is true.
- ForceAuthnValue
- Specifies if the identity provider authenticates the user. A value of true means that the user must be authenticated. The default value is false.
- IncludeForceAuthnValue
- Specifies whether to include the ForceAuthn attribute in the SAML authentication request. The value of the ForceAuthn attribute is taken from the ForceAuthn query string parameter.A value of true includes the attribute. The default value is true.
- AllowCreateValue
- Specifies if new persistent account linkage is performed on the request. The default value is true. To use this parameter, the NameIdFormat must be set to Persistent.
- IncludeAllowCreateValue
- Specifies whether to include the AllowCreate attribute in the SAML authentication request. The value of the AllowCreate attribute is taken from the AllowCreate query string parameter. A value of true includes the attribute. The default value is true.
- ClassRefValues
- Specifies one or more string values which identify authentication context class URI references.
- DeclarationRefValues
- Specifies one or more string values which identify authentication context declaration URI references.
- AuthnContectComparisonValue
- Specifies the type of comparison used to determine the requested context classes or
declarations. The comparison type must be one of the following variables:
- exact
- minimum
- maximum
- better
- target_application_location
- The URL of the application that a user can log on to using single sign-on.
Single sign-on URL when initiated at the service provider:https://sp.example.com:433/samlsp/sps/spfed/saml20/logininitial ?RequestBinding=HTTPPost &ResponseBinding=HTTPPost &NameIdFormat=Email &IsPassive=true &ForceAuthn=false &Target=https://sp.example.com:433/samlsp/banking
- Single sign-on service initial URL (IP)
- Initiate the single sign-on flow at the identity provider. The unauth ACL must be attached to
this URL. The syntax of the URL is:
Where:https://isam_hostname:port_number/junction_name/sps /federation_name/saml20/logininitial ?RequestBinding=RequestBindingType &PartnerId=target_partner_provider_ID &NameIdFormat=NameIDFormatType &AllowCreate=AllowCreateValue &Target=target_application_location
- isam_hostname
- The host name of the reverse proxy server for the identity provider.
- port_number
- The port number of the reverse proxy server.
- junction_name
- The name of the junction created on the reverse proxy server.
- federation_name
- The name you assigned to the federation when you created it.
- RequestBindingType
- The binding that is used to send the request to the service provider. The valid values when
initiating single sign-on at the identity provider are:
- HTTPPost
- HTTPArtifact
- target_partner_provider_ID
- The provider ID of the target partner.
- NameIdFormatType
- The name ID format to use for name identifiers. Valid values are:
- Transient (anonymous)
- Persistent
- AllowCreateValue
- Specifies if new persistent account linkage is performed on the request. The default value is false.
- target_application_location
- This element is URL-encoded and set as the value of the RelayState parameter in the unsolicited response delivered by the identity provider to the service provider. A service provider interprets this value as the URL of the application that a user can log on to using single sign-on.
Single sign-on URL when initiated at the identity provider:https://idp.example.com:433/samlip/sps/saml20/saml20/logininitial ?RequestBinding=HTTPPost &NameIdFormat=persistent &AllowCreate=true &PartnerId=https://sp.example.com:433/samlsp/sps/saml20/saml20 &Target=https://sp.example.com:9443/banking
- Single logout service initial URL (IP or SP)
- Initiate the SLO flow at either the identity provider or service provider. The unauth ACL must
be attached to this URL. The syntax of the URL is:
Where:https://isam_hostname:port_number/junction_name/sps /federation_name/saml20/sloinitial ?RequestBinding=RequestBindingType
- isam_hostname
- The host name of the reverse proxy server for the identity provider or service provider.
- port_number
- The port number of the reverse proxy server.
- junction_name
- The name of the junction created on the reverse proxy server.
- federation_name
- The name you assigned to the federation when you created it.
- RequestBindingType
- The binding that is used to send the request. The valid values are:
- HTTPPost
- HTTPRedirect
- HTTPArtifact
- HTTPSOAP
Single logout URL when initiated at the service provider:https://sp.example.com:433/samlsp/sps/spfed/saml20/sloinitial ?RequestBinding=HTTPRedirect
Single logout URL when initiated at the identity provider:https://idp.example.com:433/samlip/sps/ipfed/saml20/sloinitial ?RequestBinding=HTTPPost
- Name identifier management service initial URL (IP or SP)
- Used by the partner to contact the name identifier management server. The anyauth ACL must be
attached to this URL. The syntax of the URL is:
Where:https://isam_hostname:port_number/junction_name/sps /federation_name/saml20/mnidsinitial ?RequestBinding=RequestBindingType &PartnerId=target_partner_provider_ID &NameIdTerminate=name_ID_terminate_value
- isam_hostname
- The host name of the reverse proxy server for the identity provider or service provider.
- port_number
- The port number of the reverse proxy server.
- junction_name
- The name of the junction created on the reverse proxy server.
- federation_name
- The name you assigned to the federation when you created it.
- RequestBindingType
- The binding that is used to send the request. The valid values are:
- HTTPPost
- HTTPRedirect
- HTTPArtifact
- HTTPSOAP
- target_partner_provider_ID
- The provider ID of the target partner.
- name_ID_terminate_value
- A value that indicates if the name ID management flow must terminate the name ID mapping. Valid
values are:
- True: Ends the account linkage.
- False: Indicates that the name ID flow updates the name identifiers (aliases). False is the default, if you do not explicitly specify a value.
Name ID management initiated by the identity provider:https://idp.example.com:443/samlip/sps/ipfed/saml20/mnidsinitial ?RequestBinding=HTTPSOAP &PartnerId=https://sp.example.com:443/samlsp/sps/spfed/saml20 &NameIdTerminate=true
Name ID management initiated by the service provider:https://sp.example.com:443/samlsp/sps/spfed/saml20/mnidsinitial ?RequestBinding=HTTPArtifact &PartnerId=https://idp.example.com:443/samlip/sps/ipfed/saml20 &NameIdTerminate=true