In a SAML 2.0 federation, the assertion consumer service
URL can be initiated at the identity provider server site or the service
provider site. This topic describes the syntax for initiating single
sign-on at the service provider.
Syntax for initiating single sign-on at the service
provider
https://provider_hostname:port_number/sps/
federation_name/saml20/logininitial?
RequestBinding=RequestBindingType&
ResponseBinding=ResponseBindingType&
NameIdFormat=NameIDFormatType&
IsPassive=[true|false]&
ForceAuthn=[true|false]&
AllowCreate=[true|false]&
AuthnContextClassRef = ClassReference&
AuthnContextDeclRef = DeclarationReference&
AuthnContextComparison = [exact| minimum | maximum |better]&
Target=target_application_location
Elements
- https or http
- The URI scheme. https for resources that
are protected by secure sockets layer (SSL). http for
resources that are not protected by SSL.
- provider_hostname
- The hostname of the provider point of contact server.
- port_number
- The port number of the intersite transfer service endpoint. The
default value is 9443.
- sps
- The designation for the Tivoli® Federated
Identity Manager Server. This element cannot be changed.
- federation_name
- The name you assign to the federation when you create it.
- saml20
- The designation of SAML 2.0.
- logininitial
- This element indicates what type of endpoint is using the port. logininital is
used to initiate the single sign-on service.
The following query strings must also
be used in the URL:
- RequestBinding
- The binding that is used to send the request. The valid values
when initiating single sign-on at the service provider are:
- HTTPPost
- HTTPArtifact
- HTTPRedirect
- ResponseBinding
- The binding that is used by the responder to return the response.
The valid values when initiating single sign-on at the service provider
are:
- Target
- The URL of the application that a user can log in to using single
sign-on.
- NameIdFormat
- The name ID format that is to be used for name identifiers. Valid
values are:
- Transient (anonymous)
- Persistent
- Encrypted (for encrypted name IDs)
- E-mail
Persistent is the default setting. If the NameIdFormat attribute
is not included, a persistent name ID is used.
- AllowCreate
- Indicates if new persistent account linkage is performed on the
request. The default value is true. Note: To
use this parameter, the NameIdFormat must be set to Persistent.
- ForceAuthn
- Specifies whether the identity provider authenticates the user
or not. A value of true means that the user must
be authenticated. The default value is false.
Note: - Depending on the federation configuration, the more restrictive
setting is implemented. For example, if you set the federation configuration
to force a user to authenticate, setting the ForceAuthn element to false is
not implemented.
- If you plan to use WebSEAL cookie management with SAML 2.0 ForceAuthn,
ensure that the list of managed cookies does not include the WebSphere® session cookie.
See Configuring WebSEAL to manage cookies
- IsPassive
- Indicates if the identity provider must take control of the user
agent if set to true. The identity provider
is not permitted to request the user to provide login credentials.
- The default value is false.
Note: Depending on
the federation configuration, the more restrictive setting is implemented.
For example, if you set the federation configuration not to allow
the identity provider to take control of the user agent, setting the
IsPassive element to false is not implemented.
- AuthnContextClassRef
- Specifies one or more string values which identify authentication
context class URI references.
Note: Use either AuthnContextClassRef or AuthnContextDeclRef.
If both are supplied, AuthnContextClassRef is used.
- AuthnContextDeclRef
- Specifies one or more string values which identify authentication
context declaration URI references.
Note: Use either AuthnContextClassRef or AuthnContextDeclRef.
If both are supplied, AuthnContextClassRef is used.
- AuthnContextComparison
- Specifies the type of comparison used to determine the requested
context classes or declarations. The comparison type must be one of
the following:
- exact
- minimum
- maximum
- better
The default value is exact.
Example
- Single sign-on URL when initiated at service provider:
- The following example shows the single sign-on URL when initiated
at a service provider. The name of the federation is spfed,
and uses the SAML 2.0 protocol, HTTPPost as the request binding and
response binding, and a target application at https://sp.example.com:9443/banking:
https://sp.example.com:9443/sps/
spfed/saml20/logininitial?
RequestBinding=HTTPPost&
ResponseBinding=HTTPPost&
NameIdFormat=persistent&
IsPassive=true&
ForceAuthn=true&
AllowCreate=true&
RequestedAuthnContext Comparison=minimum&
AuthnContextClassRef=classref1&
Target=https://sp.example.com:9443/banking