|
|
|
A SOA Security Manager Service Provider can use query parameters in the links to the AuthnRequest Service. The following are the allowable query parameters:
ID of the Identity Provider where the AuthnRequest Service sends the AuthnRequest message.
Specifies the ProtocolBinding element in the AuthnRequest message. This element specifies the protocol used to return the SAML response from the Identity Provider. If the specified Identity Provider is not configured to support the specified protocol binding, the request fails.
If you use this parameter in the AuthnRequest, you cannot include the AssertionConsumerServiceIndex parameter also. They are mutually exclusive.
Required Use of the ProtocolBinding Query Parameter
The artifact and POST binding can be enabled for an authentication scheme. If you want to use only the artifact binding, the ProtocolBinding parameter is required.
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
You do not need to set this parameter for HTTP-POST single sign-on.
Example: AuthnRequest Link with ProtocolBinding
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&ProtocolBinding=urn:oasis: names:tc:SAML:2.0:bindings:HTTP-Artifact
A user clicks the link at the Service Provider. The Federation Web Services application requests an AuthnRequest message from the local Policy Server.
Optional Use of ProtocolBinding
When you do not use the ProtocolBinding query parameter, the following applies:
Note: Do not HTTP-encode the query parameters.
Example: AuthnRequest Link without ProtocolBinding
This sample link goes to the AuthnRequest service. The link specifies the Identity Provider in the ProviderID query parameter.
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
A user clicks the link at the Service Provider. The Federation Web Services application requests for an AuthnRequest message from the local Policy Server.
Indicates whether the SP forces the Identity Provider to authenticate a user even if there is an existing security context for that user.
Note: A user can try to reauthenticate with different credentials than the existing session. The IdP then compares the userDN and the user directory OID for the current and existing sessions. If the sessions are not for the same user, the IdP returns a SAML 2.0 response indicating that the authentication has failed.
Example
http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=idp.demo&ForceAuthn=yes
Specifies the target at the Service Provider. You can use the RelayState query parameter to indicate the target destination, but this method is optional. Instead, you can specify the target in the SAML 2.0 authentication scheme configured using the FSS Administrative UI. The authentication scheme also has an option to override the target with the RelayState query parameter.
URL-encode the RelayState value.
Example
http://www.spdemo.com:81/affwebservices/public/saml2authnrequest? ProviderID=idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp
Determines whether the Identity Provider can interact with a user. If this query parameter is set to true, the Identity Provider must not interact with the user. Additionally, the IsPassive parameter is included with the AuthnRequest sent to the Identity Provider. If this query parameter is set to false, the Identity Provider can interact with the user.
Example
http://www.spdemo.com:81/affwebservices/public/saml2authnrequest? ProviderID=idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com% 2Fapps%2Fapp.jsp&IsPassive=true
Specifies the index of the endpoint acting as the assertion consumer. The index tells the Identity Provider where to send the assertion response.
If you use this parameter in the AuthnRequest, you cannot include the ProtocolBinding parameter also. They are mutually exclusive.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |