Configuration Guides › Federation Security Services Guide › Configure SOA Security Manager as a SAML 2.0 Identity Provider › Set Up Links at the IdP or SP to Initiate Single Sign-on › Identity Provider-initiated SSO (POST or artifact binding) › Unsolicited Response Query Parameters Used by a SiteMinder IdP

Unsolicited Response Query Parameters Used by a SiteMinder IdP

An unsolicited response that initiates single sign-on from the IdP can include the following query parameters:

• SPID
• ProtocolBinding
• RelayState

SPID

(Required) Specifies the ID of the Service Provider where the Identity Provider sends the unsolicited response.

ProtocolBinding

Specifies the ProtocolBinding element in the unsolicited response. This element specifies the protocol used when sending the assertion response to the Service Provider. If the Service Provider is not configured to support the specified protocol binding, the request fails.

Required Use of the ProtocolBinding Query Parameter

Using the ProtocolBinding parameter is required only if artifact and POST are enabled in the Service Provider properties. If both profiles are enabled, use the query parameter only to use artifact binding.

• The URI for the artifact binding, as specified by the SAML 2.0 specification is:

  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

• The URI for the POST binding, as specified by the SAML 2.0 specification is:

  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

  You do not need to set this parameter for HTTP-POST single sign-on.

Note: Do not HTTP-encode the query parameters.

Example: Unsolicited Response with ProtocolBinding

This link redirects the user to the Single Sign-on service. In this link is the Service Provider identity, specified by the SPID query parameter. Additionally, the artifact binding is used, as specified by the bindings query parameter. After the user clicks this hard-coded link, they are redirected to the local Single Sign-on service.

http://idp-ca:82/affwebservices/public/saml2sso?SPID=http%3A%2F%2Ffedsrv.acme.com
%2Fsmidp2for90&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

Optional Use of the ProtocolBinding Query Parameter

When you do not use the ProtocolBinding query parameter the following applies:

• If the ProtocolBinding is not specified in the unsolicited response, the profile enabled for the Service Provider is used.
• Both profiles can be enabled for the Service Provider. If the ProtocolBinding is not in the unsolicited response, the Service Provider uses the POST profile by default.

  Example: Unsolicited Response without ProtocolBinding

  This link redirects the user to the Single Sign-on service. Included in this link is the Service Provider identity, specified by the SPID query parameter. No ProtocolBinding query parameter exists. After the user clicks this hard-coded link, they are redirected to the local Single Sign-on service.

  http://fedsrv.fedsite.com:82/affwebservices/public/saml2sso?SPID=
  http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
  

RelayState

Specifies the target at the Service Provider. Use the RelayState query parameter to indicate the target destination; however, this method is optional. There can be a configuration mechanism at the Service Provider to indicate the target.

URL-encode the RelayState value.

Example

http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID=
http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&
RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp