|
|
|
At the producer, create pages that contain links that direct the user to the consumer site. Each link represents an intersite transfer URL. The user has to visit the intersite transfer URL, which makes a request to the producer-side Web Agent before the user is redirected to the consumer site.
For SAML Artifact and POST profile, the syntax for the intersite transfer URL is:
http://producer_host:port/affwebservices/public/intersitetransfer? CONSUMERID=consumer_entity_ID&TARGET=http://consumer_site/target_url
The variables and query parameters in the previous intersite transfer URL are as follows:
Specifies the server and port number where the user is authenticated
(Required) Identifies the consumer. On the producer side, the producer-to-consumer partnership has a name, and the remote consumer entity has an ID. The CONSUMERID is the entity ID of the remote consumer.
You can use the parameter NAME in place of CONSUMERID, but you must use one or the other.
If you use NAME, specify the name of the producer-to-consumer partnership as defined at the producer.
Identifies the consumer site the user wants to visit from the producer site.
(Optional) Identifies the requested target resource at the consumer.
The TARGET parameter is optional. You are required to define the target; however, you can define it in the consumer-side partnership instead of the intersite transfer URL. (The target is defined in the Application Integration step of the Partnership wizard.) Be sure to define the target in the URL or in the partnership.
Specifies the server at the consumer site.
Indicates the target application at the consumer site.
Note: Query parameters for the SAML Artifact binding must use HTTP-encoding.
Example of an intersite transfer URL for the Artifact and POST profile:
http://www.smartway.com/affwebservices/public/intersitetransfer? CONSUMERID=ahealthco&TARGET=http://www.ahealthco.com:85/ smartway/index.jsp
If a user visits a Federation Manager Identity Provider before going to the Service Provider, an unsolicited response at the Identity Provider must be initiated. To initiate an unsolicited response, create a hard-coded link that generates an HTTP Get request that Federation Manager accepts. This HTTP Get request must contain a query parameter that provides the Service Provider ID for which the Identity Provider must generate the SAML assertion response. A user clicks this link to initiate the unsolicited response.
Note: This information applies to Artifact or POST bindings.
To specify the use of artifact or POST profile in the unsolicited response, the syntax for the unsolicited response link is:
http://idp_server:port/affwebservices/public/saml2sso?SPID=SP_ID&
ProtocolBinding=URI_for_binding&RelayState=target_URL
Identifies the web server and port hosting Federation Manager.
Specifies the Entity ID of the Service Provider defined in the partnership.
Identifies the URI of the POST or Artifact binding for the ProtocolBinding element. The SAML 2.0 specification defines this URI.
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
You do not need to set this parameter for HTTP-POST single sign-on.
Note: A binding must also be enabled for the partnership for the request to work.
Specifies the URL of the federation resource target at the Service Provider.
Note the following:
Important! If you configure indexed endpoint support for Assertion Consumer Services, the value of the ProtocolBinding query parameter in the unsolicited response link overrides the binding you configure for the Assertion Consumer Service.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |