Unsolicited Response Query Parameters Used by the IdP

Federation Manager Guide › Federation Partnerships › Web Links to Initiate Single Sign-on › IdP-initiated SSO (SAML 2.0 Artifact or POST) › Unsolicited Response Query Parameters Used by the IdP

Unsolicited Response Query Parameters Used by the IdP

An unsolicited response that initiates single sign-on from the IdP can include the following query parameters:

SPID
(Required) Specifies the ID of the Service Provider where the Identity Provider sends the unsolicited response.
ProtocolBinding
Specifies the ProtocolBinding element in the unsolicited response. This element specifies the protocol used when sending the assertion response to the Service Provider. If the Service Provider is not configured to support the specified protocol binding the request will fail.
RelayState
Indicates the URL of the target resource at the Service Provider. By including this query parameter, it tells the IdP to redirect the user the appropriate resource at the Service Provider. This query parameter can be used in place of specifying a target URL when configuring single sign-on.

Required Use of the ProtocolBinding Query Parameter

Use of the ProtocolBinding query parameter is required only if artifact and POST binding are enabled for the Service Provider properties and the user wants to only use artifact binding.

The URI for the artifact binding, as specified by the SAML 2.0 specification is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
The URI for the POST binding, as specified by the SAML 2.0 specification is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

You do not need to set this parameter for HTTP-POST single sign-on.

Note: You do not need to HTTP-encode the query parameters.

Optional Use of the ProtocolBinding Query Parameter

When you do not use the ProtocolBinding query parameter the following applies:

If only one binding is enabled for the Service Provider and the ProtocolBinding is not specified in the unsolicited response, the enabled binding is used.
If both bindings are enabled for the Service Provider and the ProtocolBinding is not specified in the unsolicited response, the POST binding is used by default.

Example: Unsolicited Response without ProtocolBinding

This link redirects the user to the Single Sign-on service. Included in this link is the Service Provider identity, specified by the SPID query parameter. There is no ProtocolBinding query parameter. After the user clicks this hard coded link, they are redirected to the Single Sign-on service.

http://fedsrv.fedsite.com:82/affwebservices/public/saml2sso?
SPID=http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90

Example: Unsolicited Response with ProtocolBinding

This link redirects the user to the Single Sign-on service. Included in this link is the Service Provider identity, specified by the SPID query parameter and the artifact binding is being used, as specified by the bindings query parameter. After the user clicks this hard coded link, they are redirected to local Single Sign-on service.

http://idp-ca:82/affwebservices/public/saml2sso?SPID=
http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&
ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

Email CA about this topic