ForceAuthn and IsPassive Processing at the IdP

CA SiteMinder® Federation Standalone Guide › URLs to Initiate Single Sign-on › IdP-initiated SSO (SAML 2.0 Artifact or POST) › ForceAuthn and IsPassive Processing at the IdP

ForceAuthn and IsPassive Processing at the IdP

If single sign-on is initiated by a Service Provider, that Service Provider may include a ForceAuthn or IsPassive query parameter in an AuthnRequest message.

Note: CA SiteMinder® Federation Standalone Identity Providers do not support the IsPassive query parameter; however, the IsPassive parameter may be included in an AuthnRequest message sent by a third-party Service Provider.

When a Service Provider includes ForceAuthn or IsPassive in the AuthnRequest, a CA SiteMinder® Federation Standalone Identity Provider handles these query parameters as follows:

ForceAuthn Handling

When a Service Provider includes ForceAuthn=True in the AuthnRequest message, a CA SiteMinder® Federation Standalone Identity Provider challenges the user for their credentials, regardless of whether or not a CA SiteMinder® Federation Standalone session exists. If the user successfully authenticates, a session is established.

IsPassive Handling

When a Service Provider includes IsPassive in the AuthnRequest and it cannot be honored by the Identity Provider, one of the following SAML responses is sent back to the Service Provider:

If IsPassive=True in the AuthnRequest message and there is no CA SiteMinder® Federation Standalone session, a CA SiteMinder® Federation Standalone Identity Provider returns a SAML response that includes an error message because CA SiteMinder® Federation Standalone requires a session.
If IsPassive=True in the AuthnRequest message and there is a CA SiteMinder® Federation Standalone session, the CA SiteMinder® Federation Standalone Identity Provider returns the assertion.
If IsPassive and ForceAuthn are in the AuthnRequest message and both are set to True, the CA SiteMinder® Federation Standalone Identity Provider returns an error because this is an invalid request. IsPassive and ForceAuthn are mutually exclusive.

SP-initiated SSO (SAML 2.0)

SP-initiated SSO requires that you have an HTML page at the Service Provider containing hard-coded links to the AuthnRequest service at the Service Provider. The links redirect the user to the Identity Provider to be authenticated and determining what is included in the AuthnRequest itself.

This information applies to Artifact or POST bindings.

The hard-coded link that the user selects must contain specific query parameters, which are used in an HTTP GET request to the AuthnRequest service.

Note: The page with these hard-coded links has to reside in an unprotected realm.

To specify the use of artifact or profile binding for the transaction, the syntax for the link is:

http://sp_server:port/affwebservices/public/saml2authnrequest?
ProviderID=IdP_ID&ProtocolBinding=URI_of_binding&
RelayState=target_URL

sp_server:port

Specifies the server and port number at the Service Provider that is hosting CA SiteMinder® Federation Standalone.

IdP_ID

Specifies the identity that is assigned to the Identity Provider.

URI_of_binding

Identifies the URI of the POST or Artifact binding for the ProtocolBinding element. The SAML 2.0 specification defines this URI.

The URI for the artifact binding is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
The URI for the POST binding is:
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

You do not need to set this parameter for HTTP-POST single sign-on.

Also, enable a binding for the partnership for the request to work.

target_URL

Specifies the URL of the federation target at the Service Provider.

Note the following information:

If you do not include the ProtocolBinding query parameter in the AuthnRequest link, the default binding is the one defined for the partnership. If you have both bindings defined in the partnership, then no binding is passed in the AuthnRequest. As a result, the default binding at the Identity Provider is used.
If the artifact and POST bindings are enabled for the partnership but you only want to use artifact binding, include the ProtocolBinding query parameter in the link.