SAML 2.0 profile initial URLs for the identity provider
In a federated environment, specially formed URLs can be used for user-initiated single sign-on actions from the identity provider.
- Single sign-on service
- Single logout service
- Name identifier management service
Single sign-on service initial URL
Initiates the single sign-on flow at the identity provider. The syntax of the URL ishttps://{tenantName}/saml/sps/saml20ip/saml20/logininitial
?RequestBinding=RequestBindingType
&PartnerId=target_partner_provider_ID
&NameIdFormat=NameIDFormatType
&Target=target_application_location
&AssertionConsumerSvcIndes=AssertionConsumerSvcIndex- RequestBindingType
- The binding that is used to send the request to the service provider. The valid value when initiating single sign-on at the identity provider is HTTPPost
- target_partner_provider_ID
- The provider ID of the target partner.
- NameIdFormatType
- The name ID format to use for name identifiers. Valid values are:
- Transient (anonymous)
- Persistent
- target_application_location
- This element is URL-encoded and set as the value of the RelayState parameter in the unsolicited response delivered by the identity provider to the service provider. A service provider interprets this value as the URL of the application that a user can log on to using single sign-on.
- AssertionConsumerSvcIndex
- Specifies the index of the Assertion Consumer Service URL where the Identity Provider sends the response. The value must correspond to the endpoint in the Service Provider metadata.
Note: In case ResponseBinding and AssertionConsumerSvcIndex are specified, the latter takes precedence.
Example of single sign-on URL when initiated at the identity provider
The following example shows the single sign-on URL when initiated at an identity provider, using the SAML 2.0 protocol.AssertionConsumerSvcIndex refers to the index of the ACS URL to send the response.
https://{tenantName}/saml/sps/saml20ip/saml20/logininitial
?RequestBinding=HTTPPost
&NameIdFormat=persistent
&PartnerId=https://sp.example.com:433/samlsp/sps/saml20/saml20
&Target=https://sp.example.com:9443/banking
&AssertionConsumerSvcIndex=0Single logout service initial URL
Initiate the SLO flow at the identity provider. The syntax of the URL is:https://{tenantName}/saml/sps/saml20ip/saml20/sloinitial
?RequestBinding=RequestBindingType- RequestBindingType
- The binding that is used to send the request. The valid values are
- HTTPPost
- HTTPRedirect
Example of single logout URL when initiated at the identity provider
https://{tenantName}/saml/sps/saml20ip/saml20/logininitial
?RequestBinding=HTTPPostName identifier management service initial URL
Used by the partner to contact the name identifier management server. The syntax of the URL ishttps://{tenantName}/saml/sps/saml20ip/saml20/mnidsinitial
?RequestBinding=RequestBindingType
&PartnerId=target_partner_provider_ID
&NameIdTerminate=name_ID_terminate_value
- RequestBindingType
- The binding that is used to send the request. The valid values are
- HTTPPost
- HTTPRedirect
- target_partner_provider_ID
- The provider ID of the target partner.
- name_ID_terminate_value
- A value that indicates if the name ID management flow must terminate the name ID mapping. Valid values are
-
true: Ends the account linkage. -
false: Indicates that the name ID flow updates the name identifiers (aliases). False is the default, if you do not explicitly specify a value.
-
Example of name ID management initiated by the identity provider
https://\{tenantName}/saml/sps/saml20ip/saml20/mnidsinitial
?RequestBinding=HTTPPost
&PartnerId=https://sp.example.com:443/samlsp/sps/spfed/saml20
&NameIdTerminate=true