Federation Security Services Guide › Identify Service Providers for a SAML 2.0 Identity Provider › Set Up Links at the IdP or SP to Initiate Single Sign-on › Identity Provider-initiated SSO (POST or artifact binding) › Unsolicited Response Query Parameters Used by a SiteMinder IdP

Unsolicited Response Query Parameters Used by a SiteMinder IdP

An unsolicited response that initiates single sign-on from the IdP can include the following query parameters:

• SPID
• ProtocolBinding
• RelayState

• SPID

  (Required) Specifies the ID of the Service Provider where the Identity Provider sends the unsolicited response.

• ProtocolBinding

  Specifies the ProtocolBinding element in the unsolicited response. This element specifies the protocol used when sending the assertion response to the Service Provider. If the Service Provider is not configured to support the specified protocol binding, the request will fail.

  • Required Use of the ProtocolBinding Query Parameter

  Use of the ProtocolBinding query parameter is required only if artifact and POST binding are enabled for the Service Provider properties and the user wants to only use artifact binding.

  • The URI for the artifact binding, as specified by the SAML 2.0 specification is:

    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

  • The URI for the POST binding, as specified by the SAML 2.0 specification is:

    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

    You do not need to set this parameter for HTTP-POST single sign-on.

  Note: You do not need to HTTP-encode the query parameters.

  Example: Unsolicited Response with ProtocolBinding

  This link redirects the user to the Single Sign-on service. Included in this link is the Service Provider identity, specified by the SPID query parameter and the artifact binding is being used, as specified by the bindings query parameter. After the user clicks this hard coded link, they are redirected to the local Single Sign-on service.

  http://idp-ca:82/affwebservices/public/saml2sso?SPID=http%3A%2F%2Ffedsrv.acme.com
  %2Fsmidp2for90&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
  

  • Optional Use of the ProtocolBinding Query Parameter

  When you do not use the ProtocolBinding query parameter the following applies:

  • If only one binding is enabled for the Service Provider and the ProtocolBinding is not specified in the unsolicited response, the enabled binding is used.
  • If both bindings are enabled for the Service Provider and the ProtocolBinding is not specified in the unsolicited response, the POST binding is used by default.

    Example: Unsolicited Response without ProtocolBinding

    This link redirects the user to the Single Sign-on service. Included in this link is the Service Provider identity, specified by the SPID query parameter. There is no ProtocolBinding query parameter. After the user clicks this hard coded link, they are redirected to the local Single Sign-on service.

    http://fedsrv.fedsite.com:82/affwebservices/public/saml2sso?SPID=
    http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
    

• RelayState

  Specifies the target at the Service Provider. You can use the RelayState query parameter to indicate the target destination; however, this method is optional because there may be a configuration mechanism at the Service Provider itself to indicate the target.

  Example

  http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID=
  http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&
  RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp