Relying party endpoints for authentication

A Secure Access Manager OpenID Connect Relying Party (RP) federation uses two URL endpoints.

Initiation or Kickoff URL
The user accesses this URL to initiate an OpenID Connect (OIDC) federated single sign-on. Access to this URL results in a redirect to the /authorize endpoint of the configured OIDC Provider.
https://<reverseproxy_host, port, junction>/sps/oidc/rp/<federation name>/kickoff/<partner name>

This endpoint supports providing a Target parameter. A Target query string parameter can be provided to define a location to redirect the user after a successful authentication. An example location is an application's landing page. This target must be a fully qualified URL containing protocol, host, and path information.

For example, with a junction of /isam, a federation of my_federation and a partner of partner_company, the URL is:

https://my.webseal.com/isam/sps/oidc/rp/my_federation/kickoff/partner_company
Reentry or Redirect URL

After the request to /authorize is made through the Kickoff URL, the user is redirected back to the RP through the Redirect URI. The URI value is included in the request to /authorize.

https://<reverseproxy host, port, junction>/sps/oidc/rp/<federation name>/redirect/<partner name>

The Redirect URL must be configured on the OIDC Provider. If this URL is accessed without a session state existing (that is, without first accessing the Kickoff URL), an error occurs. Assuming a successful flow, the user is authenticated after this URL is accessed.

For example, with a junction of /isam, a federation of my_federation and a partner of partner_company, the URL is:

https://my.webseal.com/isam/sps/oidc/rp/my_federation/redirect/partner_company