SAML 1.1 initial URL

The intersite transfer service URL is where the sign-on request process begins in a SAML 1.1 federation. The URL for initiating a single sign-on request has the following syntax:

Syntax

https://identity_provider_hostname:port_number/sps/junction_name
  federation_name/saml11/login?TARGET= target_application_location
  [optional query strings]

Elements

identity_provider_hostname
The host name of the reverse proxy server of the identity provider.
port_number
The port number of the reverse proxy server. The default value is 443.
sps
The designation for the IBM Security Access Manager Server. This element cannot be changed.
junction_name
The name of the junction created on the reverse proxy server. For example, isam
federation_name
The name of the SAML 1.1 federation.
saml11
The designation of the SAML protocol you choose to use in your federation.
login
This element indicates what type of endpoint is using the port. login is used for the intersite transfer service.
You have the option of using either, both, or neither of the optional query strings (SP_PROVIDER) and (PROTOCOL), see the following examples:
TARGET
The URL of the target application that a user can log on to using single sign-on.
SP_PROVIDER_ID
The value of query string specifies the provider ID of the service provider that is the target of the single sign-on request. This query string is optional but might be necessary. The use of this query string removes any ambiguity about which service provider is the target of the single sign-on request.
Without this query string, the service provider is determined by matching the URI://hostname[:port] of the URL in the TARGET query string to the URI://hostname[:port] of the provider ID for the service provider partner that is configured for the federation. This parameter is used with requests that are initiated at the identity provider.
PROTOCOL
The value of this parameter specifies the type of single sign-on profile (browser artifact or browser POST) that can be used for the single sign-on request. The syntax of the extension is PROTOCOL=[BA|POST], with BA indicating Browser Artifact and POST indicating Browser POST. The query string overrides local identity provider configuration.
The use of the extension is optional. When the extension is not present, the profile choice is determined by the configuration file settings. To use this extension, you must enable the IBM® PROTOCOL extension setting during the configuration steps for creating a SAML 1.1 federation on an identity provider.
These query strings can be used individually or in combination. For example, the URL used to initiate single sign-on, when the SP_PROVIDER_ID is used but the PROTOCOL extension is not, has the following syntax:
https://intersite_transfer_service_URL?SP_PROVIDER_ID=
  provider_ID_of_service_provider&TARGET=target_application_URL
With the SP_PROVIDER_ID and the PROTOCOL extension, the URL has the following syntax: 
https://intersite_transfer_service_URL?SP_PROVIDER_ID=
  provider_ID_of_service_provider&TARGET=target_application_URL
  &PROTOCOL=[BA|POST]

Examples

Single sign-on URL, without the optional parameters:
The following example shows the single sign-on URL for an identity provider using a federation named ipfed, the SAML 1.1 protocol, a service provider with a provider ID of https://sp.example.com:443, and an application called snoop:
https://idp.example.com:443/sps/ipfed/saml11/login?TARGET=
  https://sp.example.com:443/snoop/
Single sign-on URL, when SP_PROVIDER_ID and PROTOCOL extension are used:
The following example shows a URL that is used to initiate single sign-on when the IBM PROTOCOL extension is used. In this example, even if the identity provider is configured to use a POST profile for the service provider named sp, the following use of the PROTOCOL extension would force the identity provider to use the browser artifact profile: 
https://idp.example.com:443/isam/sps/ipfed/saml11/login?SP_PROVIDER_ID=
  https://sp.example.com:443/isam/sps/spfed/saml11&TARGET=
  https://sp.example.com:443/isam/
  snoop&PROTOCOL=BA
Single sign-on URL, when SP_PROVIDER_ID is used but the PROTOCOL extension is not used:
The following example shows a URL that is used to initiate single sign-on when the SP_PROVIDER_ID is used but the IBM PROTOCOL extension is not used:
https://idp.example.com:443/isam/sps/ipfed/saml11/login?SP_PROVIDER_ID=
  https://sp.example.com:443/isam/sps/spfed/saml11&TARGET=
  https://sp.example.com:443/snoop
Parent topic: SAML profiles