Federation Manager Guide › Delegated Authentication for Federation Users › How the Third Party WAM Passes the User Identity › Query String Method for Passing User Identity

Query String Method for Passing User Identity

A third-party WAM system can pass a user identity to Federation Manager by appending a query string on the redirect URL that sends the user from the WAM system to Federation Manager. For this method to work, the third-party WAM system has to configure a URL that redirects federated users to Federation Manager after they are authenticated.

If authentication is initiated at the WAM system, the process for delegated authentication using a query string is as follows:

Note: Authentication can also be initiated at Federation Manager or at the relying party.

1. The third-party WAM system receives an authentication request.
2. The user is authenticated.
3. The third-party WAM system constructs a redirect URL and adds the login ID and hashed login ID values to the query string in the format LoginID=LoginID&LoginIDHash=hashed_LoginID.

   Important! The LoginID and LoginIDHash parameters are case sensitive. Be sure to include them in the redirect URL as shown in the example.

   The hashing mechanism allows Federation Manager to verify that the user ID has been received unchanged.

   Example of a Redirect URL

   http://idp1.example.com:9090/affwebservices/public/saml2sso?SPID=FmSP&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&LoginID=jdoe&LoginIDHash=454d3bd5cb839168eeffcf060ae0b9c28ed6eec0

4. The WAM system redirects the browser to Federation Manager.
5. Federation Manager extracts the login ID and hashed login ID from the URL, validates the identifier using the hashed value, and locates the user in its user directory.
6. Federation Manager creates a user session.
7. After the session is created, federated communication with the relying party proceeds.

The following picture shows the query string method when authentication is initiated at the asserting party.