|
|
|
The query parameters a SiteMinder Service Provider can use in the links to the AuthnRequest Service are as follows:
ID of the Identity Provider where the AuthnRequest message is sent by the AuthnRequest Service.
Specifies the ProtocolBinding element in the AuthnRequest message. This element specifies the protocol used to return the SAML response from the Identity Provider. If the specified Identity Provider is not configured to support the specified protocol binding, the request will fail.
If you use this parameter in the AuthnRequest, you cannot include the AssertionConsumerServiceIndex parameter also. They are mutually exclusive.
Required Use of the ProtocolBinding Query Parameter
Use of the ProtocolBinding parameter is required if artifact and POST binding are enabled for an authentication scheme and the user wants to use only the artifact binding.
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
You do not need to set this parameter for HTTP-POST single sign-on.
Example: AuthnRequest Link with ProtocolBinding
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&ProtocolBinding=urn:oasis: names:tc:SAML:2.0:bindings:HTTP-Artifact
After a user clicks the link at the Service Provider, the Federation Web Services application passes a request for an AuthnRequest message from the local Policy Server.
Optional Use of ProtocolBinding
When you do not use the ProtocolBinding query parameter the following applies:
Note: You do not need to HTTP-encode the query parameters.
Example: AuthnRequest Link without ProtocolBinding
This sample link goes to the AuthnRequest service. It specifies the Identity Provider in the ProviderID query parameter.
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
After a user clicks the link at the Service Provider, the Federation Web Services application passes a request for an AuthnRequest message from the local Policy Server.
Instructs the Identity Provider that it must authenticate a user directly instead of relying on an existing security context. Use this query parameter when the Identity Provider is not using SiteMinder but using a third-party federation software.
Example
http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=idp.demo&ForceAuthn=yes
Specifies the target at the Service Provider. You can use the RelayState query parameter to indicate the target destination, but this method is optional. Instead, you can specify the target in the SAML 2.0 authentication scheme configured using the FSS Administrative UI. The authentication scheme also has an option to override the target with the RelayState query parameter if you choose.
Example
http://www.spdemo.com:81/affwebservices/public/saml2authnrequest?ProviderID= idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp
Determines whether or not the Identity Provider can interact with a user. If this query parameter is set to true, the Identity Provider must not interact with the user. Additionally, the IsPassive parameter is included with the AuthnRequest sent to the Identity Provider. If this query parameter is set to false, the Identity Provider may interact with the user.
Example
http://www.spdemo.com:81/affwebservices/public/saml2authnrequest?ProviderID= idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp&IsPassive=true
Specifies the index of the endpoint acting as the assertion consumer. It tells the Identity Provider where to send the assertion response.
If you use this parameter in the AuthnRequest, you cannot include the ProtocolBinding parameter also. They are mutually exclusive.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |