SAML 1.1 initial URL
The intersite transfer service URL is where the sign-on request process begins in a SAML 1.1 federation. The URL for initiating a single sign-on request has the following syntax:
Syntax
https://identity_provider_hostname:port_number/sps/junction_name
federation_name/saml11/login?TARGET= target_application_location
[optional query strings]
Elements
- identity_provider_hostname
- The host name of the reverse proxy server of the identity provider.
- port_number
- The port number of the reverse proxy server. The default value is 443.
- sps
- The designation for the IBM Security Access Manager Server. This element cannot be changed.
- junction_name
- The name of the junction created on the reverse proxy server. For example, isam
- federation_name
- The name of the SAML 1.1 federation.
- saml11
- The designation of the SAML protocol you choose to use in your federation.
- login
- This element indicates what type of endpoint is using the port. login is used for the intersite transfer service.
You have the option of using either, both, or neither of the optional query strings
(SP_PROVIDER) and (PROTOCOL), see the following examples:
- TARGET
- The URL of the target application that a user can log on to using single sign-on.
- SP_PROVIDER_ID
- The value of query string specifies the provider ID of the service provider that is the target of the single sign-on request. This query string is optional but might be necessary. The use of this query string removes any ambiguity about which service provider is the target of the single sign-on request.
- Without this query string, the service provider is determined by matching the URI://hostname[:port] of the URL in the TARGET query string to the URI://hostname[:port] of the provider ID for the service provider partner that is configured for the federation. This parameter is used with requests that are initiated at the identity provider.
- PROTOCOL
- The value of this parameter specifies the type of single sign-on profile (browser artifact or browser POST) that can be used for the single sign-on request. The syntax of the extension is PROTOCOL=[BA|POST], with BA indicating Browser Artifact and POST indicating Browser POST. The query string overrides local identity provider configuration.
- The use of the extension is optional. When the extension is not present, the profile choice is determined by the configuration file settings. To use this extension, you must enable the IBM® PROTOCOL extension setting during the configuration steps for creating a SAML 1.1 federation on an identity provider.
These query strings can be used individually
or in combination. For example, the URL used to initiate single sign-on,
when the SP_PROVIDER_ID is used but the PROTOCOL extension is not,
has the following syntax:
https://intersite_transfer_service_URL?SP_PROVIDER_ID=
provider_ID_of_service_provider&TARGET=target_application_URL
With the SP_PROVIDER_ID and the PROTOCOL extension, the
URL has the following syntax:
https://intersite_transfer_service_URL?SP_PROVIDER_ID=
provider_ID_of_service_provider&TARGET=target_application_URL
&PROTOCOL=[BA|POST]
Examples
- Single sign-on URL, without the optional parameters:
- The following example shows the single sign-on URL for an identity provider using a federation
named ipfed, the SAML 1.1 protocol, a service provider with a provider ID of
https://sp.example.com:443, and an application called
snoop:
https://idp.example.com:443/sps/ipfed/saml11/login?TARGET= https://sp.example.com:443/snoop/
- Single sign-on URL, when SP_PROVIDER_ID and PROTOCOL extension are used:
- The following example shows a URL that is used to initiate single sign-on when the IBM PROTOCOL extension is used. In this example, even if the identity provider is configured to use a POST profile for the service provider named sp, the following use of the PROTOCOL extension would force the identity provider to use the browser artifact profile:
https://idp.example.com:443/isam/sps/ipfed/saml11/login?SP_PROVIDER_ID= https://sp.example.com:443/isam/sps/spfed/saml11&TARGET= https://sp.example.com:443/isam/ snoop&PROTOCOL=BA
- Single sign-on URL, when SP_PROVIDER_ID is used but the PROTOCOL extension is not used:
- The following example shows a URL that is used to initiate single sign-on when the
SP_PROVIDER_ID is used but the IBM PROTOCOL extension is
not
used:
https://idp.example.com:443/isam/sps/ipfed/saml11/login?SP_PROVIDER_ID= https://sp.example.com:443/isam/sps/spfed/saml11&TARGET= https://sp.example.com:443/snoop