Configuration Guides › Federation Security Services Guide › Configure SOA Security Manager as a SAML 2.0 Identity Provider › Set Up Links at the IdP or SP to Initiate Single Sign-on › Service Provider-initiated SSO (POST or artifact binding) › Query Parameter Processing by a SiteMinder IdP
Query Parameter Processing by a SiteMinder IdP
If a Service Provider initiates single sign-on, that Service Provider can include a ForceAuthn or IsPassive query parameter in the AuthnRequest message. When a Service Provider includes these two query parameters in the AuthnRequest message, a <stnmdr> Identity Provider handles these query parameters as follows:
ForceAuthn Handling
When a Service Provider includes ForceAuthn=True in the AuthnRequest, a SiteMinder Identity Provider does the following:
- ForceAuthn=True in the AuthnRequest message, and a SOA Security Manager session exists for a particular user. The SOA Security Manager IdP rechallenges the user for credentials. If the user successfully authenticates, the IdP sends the identity information from the existing session in the assertion. the IdP discards the session generated for the reauthentication.
A user can try to reauthenticate with different credentials than the original session. The SOA Security Manager IdP compares the userDN and the user directory OID for the current and existing sessions. If the sessions are not for the same user, it returns a SAML 2.0 response indicating that the authentication has failed.
- ForceAuthn=True in the AuthnRequest message and there is no SiteMinder session. The SOA Security Manager IdP challenges the user for credentials. If the user successfully authenticates, a session is established.
IsPassive Handling
When a Service Provider includes IsPassive in the AuthnRequest and the IdP cannot honor it, one of the following SAML responses is sent back to the Service Provider:
- IsPassive=True in the AuthnRequest message and there is no SOA Security Manager session. The SOA Security Manager Identity Provider returns a SAML response. This response includes an error message because SOA Security Manager requires a session.
- IsPassive=True in the AuthnRequest message and there is a SOA Security Manager session. The SOA Security Manager Identity Provider returns the assertion.
- IsPassive and ForceAuthn are in the AuthnRequest message and both are set to True. The SOA Security Manager Identity Provider returns an error because request is invalid. IsPassive and ForceAuthn are mutually exclusive.
