The query parameters a CA SiteMinder® Federation Standalone SP can use in the links to the AuthnRequest Service are as follows:
Entity ID of the Identity Provider where thethe AuthnRequest Service.sends AuthnRequest message.
Specifies the ProtocolBinding element in the AuthnRequest message. This element specifies the protocol used to return the SAML response from the Identity Provider. If the specified Identity Provider is not configured to support the specified protocol binding, the request fails.
If you use this parameter in the AuthnRequest, you cannot include the AssertionConsumerServiceIndex parameter also. They are mutually exclusive.
Instructs the Identity Provider that it must authenticate a user directly instead of relying on an existing security context. Use this query parameter when the Identity Provider is using CA SiteMinder® Federation Standalone, not if it is using third-party federation software.
Example
http://sp1.demo.com:81/affwebservices/public/saml2authnrequest?
ProviderID=idp1.example.com&ForceAuthn=yes
Specifies the index of the endpoint acting as the Assertion Consumer Service. It tells the Identity Provider where to send the assertion response.
If you use this parameter in the AuthnRequest, do not include the ProtocolBinding parameter also because they are mutually exclusive. The Assertion Consumer Service has its own protocol binding, which could conflict with the ProtocolBinding parameter.
Indicates the URL of the target resource at the Service Provider. By including this query parameter, it tells the Service Provider where to send the user. Otherwise, the default target defined for the partnership is used.
The ProtocolBinding parameter is required if artifact and POST binding are enabled for the partnership, and if the user wants to use only the artifact binding.
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
You do not need to set this parameter for HTTP-POST single sign-on.
When you do not use the ProtocolBinding query parameter, the following applies:
Note: You do not need to HTTP-encode the query parameters.
Example: AuthnRequest Link without the ProtocolBinding Query Parameter
This sample link goes to the AuthnRequest service. It specifies the Identity Provider in the ProviderID query parameter.
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?
ProviderID=http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
After a user clicks the link at the Service Provider, CA SiteMinder® Federation Standalone passes a request for an AuthnRequest message.
Example: AuthnRequest Link with the ProtocolBinding Query Parameter the
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?
ProviderID=http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&
ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
After a user clicks the link at the Service Provider, CA SiteMinder® Federation Standalone passes a request for an AuthnRequest message.
A user can visit the Identity Provider (IP) before going to the Resource Partner (RP). If the user visits the Identity Provider first, a link must generate an HTTP Get request. The hard-coded link points to the passive requester service at the IP. The request contains the RP Provider ID and optionally other parameters.
The syntax for the link is:
https://ip_server:port/affwebservices/public/wsfedsso?wa=wsignin1.0&wtrealm=rp_id
Specifies the server and port number of the system at the Identity Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.
The ID of the RP.
When a user starts at the RP to initiate single sign-on, typically the user selects from a list of IPs. The site selection page is in an unprotected realm.
The link on the site selection page points to the passive requester service at an IP. After the link is selected, the RP redirects the user to the IP to get the assertion.
|
Copyright © 2013 CA.
All rights reserved.
|
|