AuthnRequest Query Parameters Used by an SP

Federation Manager Guide › Federation Partnerships › Web Links to Initiate Single Sign-on › SP-initiated SSO (SAML 2.0) › AuthnRequest Query Parameters Used by an SP

AuthnRequest Query Parameters Used by an SP

The query parameters a Federation Manager SP can use in the links to the AuthnRequest Service are as follows:

ProviderID (required)
Entity ID of the Identity Provider where the AuthnRequest message is sent by the AuthnRequest Service.
ProtocolBinding
Specifies the ProtocolBinding element in the AuthnRequest message. This element specifies the protocol used to return the SAML response from the Identity Provider. If the specified Identity Provider is not configured to support the specified protocol binding, the request will fail.

If you use this parameter in the AuthnRequest, you cannot include the AssertionConsumerServiceIndex parameter also. They are mutually exclusive.
ForceAuthn
Instructs the Identity Provider that it must authenticate a user directly instead of relying on an existing security context. Use this query parameter when the Identity Provider is not using Federation Manager but using a third-party federation software.

Example

http://sp1.demo.com:81/affwebservices/public/saml2authnrequest?
ProviderID=idp1.example.com&ForceAuthn=yes
AssertionConsumerServiceIndex
Specifies the index of the endpoint acting as the Assertion Consumer Service. It tells the Identity Provider where to send the assertion response.

If you use this parameter in the AuthnRequest, do not include the ProtocolBinding parameter also because they are mutually exclusive. The Assertion Consumer Service has its own protocol binding, which could conflict with the ProtocolBinding parameter.
RelayState
Indicates the URL of the target resource at the Service Provider. By including this query parameter, it tells the Service Provider where to send the user. Otherwise, the default target defined for the partnership is used.

Required Use of the ProtocolBinding Query Parameter

Use of the ProtocolBinding parameter is required if artifact and POST binding are enabled for the partnership and the user wants to use only the artifact binding.

The URI for the artifact binding, as specified by the SAML 2.0 specification is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
The URI for the POST binding as specified by the SAML 2.0 specification is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

You do not need to set this parameter for HTTP-POST single sign-on.

Optional Use of ProtocolBinding

When you do not use the ProtocolBinding query parameter the following applies:

If only one binding is enabled for the partnership and the ProtocolBinding query parameter is not specified, the enabled binding for the partnership is used.
If both bindings are enabled and the ProtocolBinding query parameter is not specified, POST binding is used as the default.

Note: You do not need to HTTP-encode the query parameters.

Example: AuthnRequest Link without the ProtocolBinding Query Parameter

This sample link goes to the AuthnRequest service. It specifies the Identity Provider in the ProviderID query parameter.

http://ca.sp.com:90/affwebservices/public/saml2authnrequest?
ProviderID=http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90

After a user clicks the link at the Service Provider, Federation Manager passes a request for an AuthnRequest message.

Example: AuthnRequest Link with the ProtocolBinding Query Parameter the

http://ca.sp.com:90/affwebservices/public/saml2authnrequest?
ProviderID=http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&
ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

After a user clicks the link at the Service Provider, Federation Manager passes a request for an AuthnRequest message.

Email CA about this topic