SAML 1.1 initial URL
The intersite transfer service URL is where the sign-on request process begins in a SAML 1.1 federation. The URL for initiating a single sign-on request has the following syntax:
https://idp_host:port_number/sps/junction_name/federation_name/saml11/login?TARGET= target_application_location [optional query strings]
Elements
We have the option of using either, both, or neither of the optional query strings (SP_PROVIDER) and (PROTOCOL), see the following examples:
- idp_host
- The host name of the reverse proxy server of the identity provider.
- port_number
- The port number of the reverse proxy server. Default is 443.
- sps
- The designation for IBM Security Verify Access server the This element cannot be changed.
- junction_name
- The name of the junction created on the reverse proxy server. For example, isva
- federation_name
- The name of the SAML 1.1 federation.
- saml11
- The designation of the SAML protocol we choose to use in the federation.
- login
- This element indicates what type of endpoint is using the port. login is used for the intersite transfer service.
- TARGET
- The URL of the target application that a user can log on to using single sign-on.
- SP_PROVIDER_ID
- The value of query string specifies the provider ID of the service provider that is the target of the single sign-on request. This query string is optional but might be necessary. The use of this query string removes any ambiguity about which service provider is the target of the single sign-on request. Without this query string, the service provider is determined by matching the URI://hostname[:port] of the URL in the TARGET query string to the URI://hostname[:port] of the provider ID for the service provider partner configured for the federation. This parameter is used with requests that are initiated at the identity provider.
- PROTOCOL
- Type of single sign-on profile (browser artifact or browser POST) that can be used for the single sign-on request. The syntax of the extension is PROTOCOL=[BA|POST], with BA indicating Browser Artifact and POST indicating Browser POST. The query string overrides local identity provider configuration. The use of the extension is optional. When the extension is not present, the profile choice is determined by the configuration file settings. To use this extension, we must enable the IBM PROTOCOL extension setting during the configuration steps for creating a SAML 1.1 federation on an identity provider.
These query strings can be used individually or in combination. For example, the URL used to initiate single sign-on, when the SP_PROVIDER_ID is used but the PROTOCOL extension is not, has the following syntax:
https://intersite_transfer_service_URL?SP_PROVIDER_ID= provider_ID_of_service_provider&TARGET=target_application_URL
With the SP_PROVIDER_ID and the PROTOCOL extension, the URL has the following syntax:
https://intersite_transfer_service_URL?SP_PROVIDER_ID=provider_ID_of_service_provider&TARGET=target_application_URL &PROTOCOL=[BA|POST]
Examples
- Single sign-on URL, without the optional parameters:
- The following example shows the single sign-on URL for an identity provider using a federation named ipfed, the SAML 1.1 protocol, a service provider with a provider ID of https://sp.example.com:443, and an application called snoop:
https://idp.example.com:443/sps/ipfed/saml11/login?TARGET=https://sp.example.com:443/snoop/
- Single sign-on URL, when SP_PROVIDER_ID and PROTOCOL extension are used:
- The following example shows a URL used to initiate single sign-on when the IBM PROTOCOL extension is used. In this example, even if the identity provider is configured to use a POST profile for the service provider named sp, the following use of the PROTOCOL extension would force the identity provider to use the browser artifact profile:
https://idp.example.com:443/isam/sps/ipfed/saml11/login?SP_PROVIDER_ID=https://sp.example.com:443/isam/sps/spfed/saml11&TARGET=https://sp.example.com:443/isam/snoop&PROTOCOL=BA
- Single sign-on URL, when SP_PROVIDER_ID is used but the PROTOCOL extension is not used:
- The following example shows a URL used to initiate single sign-on when the SP_PROVIDER_ID is used but the IBM PROTOCOL extension is not used:
https://idp.example.com:443/isam/sps/ipfed/saml11/login?SP_PROVIDER_ID=https://sp.example.com:443/isam/sps/spfed/saml11&TARGET=https://sp.example.com:443/snoop
Parent topic: SAML profiles