The single sign-on JSP are used to initiate single sign-on and, parse authentication requests, and generate responses. These include:
idpSSOFederate.jsp works on the identity provider side to receive and parse authentication requests from the service provider and generate a Response containing an assertion. The endpoint for this JSP is protocol://host:port/service-deploy-uri/idpSSOFederate. idpSSOFederate.jsp takes the following parameters:
SAMLRequest: This required parameter takes as a value the XML blob that contains the AuthnRequest.
metaAlias: This optional parameter takes as a value the metaAlias set in the identity provider's extended metadata configuration file.
RelayState: This optional parameter takes as a value the target URL of the request.
idpSSOInit.jsp initiates single sign-on from the identity provider side (also referred to as unsolicited response). For example, a user requests access to a resource. On receiving this request for access, idpSSOInit.jsp looks for a cached assertion which, if present, is sent to the service provider in an unsolicited <Response>. If no assertion is found, idpSSOInit.jsp verifies that the following required parameters are defined:
metaAlias: This parameter takes as a value the metaAlias set in the identity provider's extended metadata configuration file. If the metaAlias attribute is not present, an error is returned.
spEntityID: The entity identifier of the service provider to which the response is sent.
If defined, the unsolicited Response is created and sent to the service provider. If not, an error is returned. The endpoint for this JSP is protocol://host:port/service-deploy-uri/idpssoinit. The following optional parameters can also be passed to idpSSOInit.jsp:
RelayState: The target URL of the request.
NameIDFormat: The currently supported name identifier formats: persistent or transient.
binding: A URI suffix identifying the protocol binding to use when sending the Response. The supported values are:
HTTP-Artifact
HTTP-POST
spSSOInit.jsp is used to initiate single sign-on from the service provider side. On receiving a request for access, spSSOInit.jsp verifies that the following required parameters are defined:
metaAlias: This parameter takes as a value the metaAlias set in the identity provider's extended metadata configuration file. If the metaAlias attribute is not present, an error is returned.
idpEntityID: The entity identifier of the identity provider to which the request is sent. If idpEntityID is not provided, the request is redirected to the SAML v2 IDP Discovery Service to get the user's preferred identity provider. In the event that more then one identity provider is returned, the last one in the list is chosen. If idpEntityID cannot be retrieved using either of these methods, an error is returned.
If defined, the Request is created and sent to the identity provider. If not, an error is returned. The endpoint for this JSP is protocol://host:port/service-deploy-uri/spssoinit. The following optional parameters can also be passed to spSSOInit.jsp:
RelayState: The target URL of the request.
NameIDFormat: The currently supported name identifier formats: persistent or transient.
binding: A URI suffix identifying the protocol binding to use when sending the Response. The supported values are:
HTTP-Artifact
HTTP-POST
AssertionConsumerServiceIndex: An integer identifying the location to which the Response message should be returned to the requester. requester. It applies to profiles in which the requester is different from the presenter, such as the Web Browser SSO profile.
AttributeConsumingServiceIndex: An integer indirectly specifying information (associated with the requester) describing the SAML attributes the requester desires or requires to be supplied.
isPassive: Takes a value of true or false with true indicating the identity provider should authenticate passively.
ForceAuthN: Takes a value of true indicating that the identity provider must force authentication or false indicating that the identity provider can reuse existing security contexts.
AllowCreate: Takes a value of true indicating that the identity provider is allowed to created a new identifier for the principal if it does not exist or false.
Destination: A URI indicating the address to which the request has been sent.
AuthnContextClassRef: Specifies a URI reference identifying an authentication context class that describes the declaration that follows. Multiple references can be pipe-separated.
AuthnContextDeclRef: Specifies a URI reference to an authentication context declaration. Multiple references can be pipe-separated.
AuthComparison: The comparison method used to evaluate the requested context classes or statements. Accepted values include: minimum, maximum or better.
Consent: Indicates whether or not (and under what conditions) consent has been obtained from a principal in the sending of this request.
Consent is not supported in this release.
To pass parameters to specify RequestedAuthnContext use:
AuthLevel
AuthnContextClassRef
sunamcompositeadvice