SAML 2.0 profile initial URLs

SAML 2.0 profile initial URLs

In a federated environment, specially formed URLs can be used for user-initiated single sign-on actions. We can initiate a single sign-on flow from the service provider or identity provider.
Assertion consumer service initial URL (SP)

Initiate the single sign-on flow at the service provider. The unauth ACL must be attached to this URL. The syntax of the URL is:
https://isam_host:port/junction/sps/federation/saml20/logininitial?RequestBinding=RequestBindingType
&ResponseBinding=ResponseBindingType
&NameIdFormat=NameIDFormatType
&IsPassive=IsPassiveValue
&IncludeIsPassive=IncludeIsPassiveValue
&ForceAuthn=ForceAuthnValue
&IncludeForceAuthn=IncludeForceAuthnValue
&AllowCreate=AllowCreateValue
&IncludeAllowCreate=IncludeAllowCreateValue
&AuthnContextClassRef=ClassRefValues
&AuthnContextDeclRef=DeclarationRefValues
&AuthnContextComparison=AuthnContectComparisonValue
&Target=target_application_location

Where:

isam_host The host name of the reverse proxy server for the service provider.
port Port number of the reverse proxy server.
junction The name of the junction created on the reverse proxy server.
federation Name to the federation
RequestBindingType HTTPPost
HTTPRedirect
HTTPArtifact
ResponseBindingType HTTPPost
HTTPArtifact
NameIdFormatType Transient (anonymous)
Persistent
Email
IsPassiveValue The Identity provider must take control of the user agent. A value of true means the identity provider is not permitted to request the user to provide log in credentials. Default is false.
IncludeIsPassiveValue Include the IsPassive attribute in the SAML authentication request. The value of the IsPassive attribute is taken from the IsPassive query string parameter. A value of true includes the attribute. Default is true.
ForceAuthnValue The Identity provider authenticates the user. A value of true means the user must be authenticated. Default is false.
IncludeForceAuthnValue Include the ForceAuthn attribute in the SAML authentication request. The value of the ForceAuthn attribute is taken from the ForceAuthn query string parameter.A value of true includes the attribute. Default is true.
AllowCreateValue Specifies if new persistent account linkage is performed on the request. Default value true. To use, the NameIdFormat must be set to Persistent.
IncludeAllowCreateValue Include the AllowCreate attribute in the SAML authentication request. The value of the AllowCreate attribute is taken from the AllowCreate query string parameter. A value of true includes the attribute. Default is true.
ClassRefValues One or more string values which identify authentication context class URI references.
DeclarationRefValues One or more string values which identify authentication context declaration URI references.
AuthnContectComparisonValue Type of comparison used to determine the requested context classes or declarations. The comparison type must be one of the following variables:

exact
minimum
maximum
better

Default is exact.
target_application_location The URL of the application that a user can log on to using single sign-on.

Example: Single sign-on URL when initiated at the service provider:
https://sp.example.com:433/samlsp/sps/spfed/saml20/logininitial?RequestBinding=HTTPPost
&ResponseBinding=HTTPPost
&NameIdFormat=Email
&IsPassive=true
&ForceAuthn=false
&Target=https://sp.example.com:433/samlsp/banking

Single sign-on service initial URL (IP)

Initiate the single sign-on flow at the identity provider. The unauth ACL must be attached to this URL. The syntax of the URL is:
https://isam_host:port/junction/sps/federation/saml20/logininitial?RequestBinding=RequestBindingType
&PartnerId=target_partner_provider_ID
&NameIdFormat=NameIDFormatType
&AllowCreate=AllowCreateValue
&Target=target_application_location

Where:

isam_host The host name of the reverse proxy server for the identity provider.
port Port number of the reverse proxy server.
junction The name of the junction created on the reverse proxy server.
federation Name to the federation
RequestBindingType The binding used to send the request to the service provider.

HTTPPost
HTTPArtifact

target_partner_provider_ID Provider ID of the target partner.
NameIdFormatType The name ID format to use for name identifiers.

Transient (anonymous)
Persistent
Email

AllowCreateValue New persistent account linkage is performed on the request. Default is false.
target_application_location This element is URL-encoded and set as the value of the RelayState parameter in the unsolicited response delivered by the identity provider to the service provider. A service provider interprets this value as the URL of the application that a user can log on to using single sign-on.

Example: Single sign-on URL when initiated at the identity provider:
https://idp.example.com:433/samlip/sps/saml20/saml20/logininitial?RequestBinding=HTTPPost
&NameIdFormat=persistent
&AllowCreate=true
&PartnerId=https://sp.example.com:433/samlsp/sps/saml20/saml20
&Target=https://sp.example.com:9443/banking

Single logout service initial URL (IP or SP)

Initiate the SLO flow at either the identity provider or service provider. The unauth ACL must be attached to this URL. The syntax of the URL is:
https://isam_host:port/junction/sps/federation/saml20/sloinitial?RequestBinding=RequestBindingType

Where:

isam_host The host name of the reverse proxy server for the identity provider or service provider.
port Port number of the reverse proxy server.
junction The name of the junction created on the reverse proxy server.
federation Name assigned to the federation
RequestBindingType HTTPPost
HTTPRedirect
HTTPArtifact
HTTPSOAP

Examples: Single logout URL when initiated at the service provider:
https://sp.example.com:433/samlsp/sps/spfed/saml20/sloinitial?RequestBinding=HTTPRedirect

Single logout URL when initiated at the identity provider:
https://idp.example.com:433/samlip/sps/ipfed/saml20/sloinitial?RequestBinding=HTTPPost

Name identifier management service initial URL (IP or SP)

Used by the partner to contact the name identifier management server. The anyauth ACL must be attached to this URL. The syntax of the URL is:
https://isam_host:port/junction/sps/federation/saml20/mnidsinitial?RequestBinding=RequestBindingType
&PartnerId=target_partner_provider_ID
&NameIdTerminate=name_ID_terminate_value

Where:

isam_host The host name of the reverse proxy server for the identity provider or service provider.
port Port number of the reverse proxy server.
junction The name of the junction created on the reverse proxy server.
federation Name assigned to the federation
RequestBindingType The binding used to send the request.

HTTPPost
HTTPRedirect
HTTPArtifact
HTTPSOAP

target_partner_provider_ID Provider ID of the target partner.
name_ID_terminate_value Indicates if the name ID management flow must terminate the name ID mapping.

True: Ends the account linkage.
False: The name ID flow updates the name identifiers (aliases). Default is False.

Examples: Name ID management initiated by the identity provider:
https://idp.example.com:443/samlip/sps/ipfed/saml20/mnidsinitial?RequestBinding=HTTPSOAP
&PartnerId=https://sp.example.com:443/samlsp/sps/spfed/saml20
&NameIdTerminate=true

Name ID management initiated by the service provider:
https://sp.example.com:443/samlsp/sps/spfed/saml20/mnidsinitial?RequestBinding=HTTPArtifact
&PartnerId=https://idp.example.com:443/samlip/sps/ipfed/saml20
&NameIdTerminate=true

Parent topic: SAML profiles

isam_host	The host name of the reverse proxy server for the service provider.
port	Port number of the reverse proxy server.
junction	The name of the junction created on the reverse proxy server.
federation	Name to the federation
RequestBindingType	HTTPPost HTTPRedirect HTTPArtifact
ResponseBindingType	HTTPPost HTTPArtifact
NameIdFormatType	Transient (anonymous) Persistent Email
IsPassiveValue	The Identity provider must take control of the user agent. A value of true means the identity provider is not permitted to request the user to provide log in credentials. Default is false.
IncludeIsPassiveValue	Include the IsPassive attribute in the SAML authentication request. The value of the IsPassive attribute is taken from the IsPassive query string parameter. A value of true includes the attribute. Default is true.
ForceAuthnValue	The Identity provider authenticates the user. A value of true means the user must be authenticated. Default is false.
IncludeForceAuthnValue	Include the ForceAuthn attribute in the SAML authentication request. The value of the ForceAuthn attribute is taken from the ForceAuthn query string parameter.A value of true includes the attribute. Default is true.
AllowCreateValue	Specifies if new persistent account linkage is performed on the request. Default value true. To use, the NameIdFormat must be set to Persistent.
IncludeAllowCreateValue	Include the AllowCreate attribute in the SAML authentication request. The value of the AllowCreate attribute is taken from the AllowCreate query string parameter. A value of true includes the attribute. Default is true.
ClassRefValues	One or more string values which identify authentication context class URI references.
DeclarationRefValues	One or more string values which identify authentication context declaration URI references.
AuthnContectComparisonValue	Type of comparison used to determine the requested context classes or declarations. The comparison type must be one of the following variables: exact minimum maximum better Default is exact.
target_application_location	The URL of the application that a user can log on to using single sign-on.

isam_host	The host name of the reverse proxy server for the identity provider.
port	Port number of the reverse proxy server.
junction	The name of the junction created on the reverse proxy server.
federation	Name to the federation
RequestBindingType	The binding used to send the request to the service provider. HTTPPost HTTPArtifact
target_partner_provider_ID	Provider ID of the target partner.
NameIdFormatType	The name ID format to use for name identifiers. Transient (anonymous) Persistent Email
AllowCreateValue	New persistent account linkage is performed on the request. Default is false.
target_application_location	This element is URL-encoded and set as the value of the RelayState parameter in the unsolicited response delivered by the identity provider to the service provider. A service provider interprets this value as the URL of the application that a user can log on to using single sign-on.