IBM Tivoli Federated Identity Manager, Version 6.2.1

Assertion consumer service initial URL (service provider)

In a SAML 2.0 federation, the assertion consumer service URL can be initiated at the identity provider server site or the service provider site. This topic describes the syntax for initiating single sign-on at the service provider.

Syntax for initiating single sign-on at the service provider

https://provider_hostname:port_number/sps/
federation_name/saml20/logininitial?
RequestBinding=RequestBindingType&
ResponseBinding=ResponseBindingType&
NameIdFormat=NameIDFormatType&
IsPassive=[true|false]&
ForceAuthn=[true|false]&
AllowCreate=[true|false]&
AuthnContextClassRef = ClassReference&
AuthnContextDeclRef = DeclarationReference&
AuthnContextComparison = [exact| minimum | maximum |better]&
Target=target_application_location

Elements

https or http
The URI scheme. https for resources that are protected by secure sockets layer (SSL). http for resources that are not protected by SSL.
provider_hostname
The hostname of the provider point of contact server.
port_number
The port number of the intersite transfer service endpoint. The default value is 9443.
sps
The designation for the Tivoli® Federated Identity Manager Server. This element cannot be changed.
federation_name
The name you assign to the federation when you create it.
saml20
The designation of SAML 2.0.
logininitial
This element indicates what type of endpoint is using the port. logininital is used to initiate the single sign-on service.
The following query strings must also be used in the URL:
RequestBinding
The binding that is used to send the request. The valid values when initiating single sign-on at the service provider are:
  • HTTPPost
  • HTTPArtifact
  • HTTPRedirect
ResponseBinding
The binding that is used by the responder to return the response. The valid values when initiating single sign-on at the service provider are:
  • HTTPPost
  • HTTPArtifact
Target
The URL of the application that a user can log in to using single sign-on.
NameIdFormat
The name ID format that is to be used for name identifiers. Valid values are:
  • Transient (anonymous)
  • Persistent
  • Encrypted (for encrypted name IDs)
  • E-mail

Persistent is the default setting. If the NameIdFormat attribute is not included, a persistent name ID is used.

AllowCreate
Indicates if new persistent account linkage is performed on the request. The default value is true. Note: To use this parameter, the NameIdFormat must be set to Persistent.
ForceAuthn
Specifies whether the identity provider authenticates the user or not. A value of true means that the user must be authenticated. The default value is false.
Note:
  • Depending on the federation configuration, the more restrictive setting is implemented. For example, if you set the federation configuration to force a user to authenticate, setting the ForceAuthn element to false is not implemented.
  • If you plan to use WebSEAL cookie management with SAML 2.0 ForceAuthn, ensure that the list of managed cookies does not include the WebSphere® session cookie. See Configuring WebSEAL to manage cookies
IsPassive
Indicates if the identity provider must take control of the user agent if set to true. The identity provider is not permitted to request the user to provide login credentials.
The default value is false.
Note: Depending on the federation configuration, the more restrictive setting is implemented. For example, if you set the federation configuration not to allow the identity provider to take control of the user agent, setting the IsPassive element to false is not implemented.
AuthnContextClassRef
Specifies one or more string values which identify authentication context class URI references.
Note: Use either AuthnContextClassRef or AuthnContextDeclRef. If both are supplied, AuthnContextClassRef is used.
AuthnContextDeclRef
Specifies one or more string values which identify authentication context declaration URI references.
Note: Use either AuthnContextClassRef or AuthnContextDeclRef. If both are supplied, AuthnContextClassRef is used.
AuthnContextComparison
Specifies the type of comparison used to determine the requested context classes or declarations. The comparison type must be one of the following:
  • exact
  • minimum
  • maximum
  • better

The default value is exact.

Example

Single sign-on URL when initiated at service provider:
The following example shows the single sign-on URL when initiated at a service provider. The name of the federation is spfed, and uses the SAML 2.0 protocol, HTTPPost as the request binding and response binding, and a target application at https://sp.example.com:9443/banking:
https://sp.example.com:9443/sps/
spfed/saml20/logininitial?
RequestBinding=HTTPPost&
ResponseBinding=HTTPPost&
NameIdFormat=persistent&
IsPassive=true&
ForceAuthn=true&
AllowCreate=true&
RequestedAuthnContext Comparison=minimum&
AuthnContextClassRef=classref1&
Target=https://sp.example.com:9443/banking
Parent topic: SAML 2.0 profile initial URLs

Feedback