|
|
|
The query parameters a SiteMinder Service Provider can use in the links to the AuthnRequest Service are as follows:
ID of the Identity Provider where the AuthnRequest message is sent by the AuthnRequest Service.
Specifies the ProtocolBinding element in the AuthnRequest message. This element specifies the protocol used to return the SAML response from the Identity Provider. If the specified Identity Provider is not configured to support the specified protocol binding, the request will fail.
If you use this parameter in the AuthnRequest, you cannot include the AssertionConsumerServiceIndex parameter also. They are mutually exclusive.
Required Use of the ProtocolBinding Query Parameter
Use of the ProtocolBinding parameter is required if artifact and POST binding are enabled for an authentication scheme and the user wants to use only the artifact binding.
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
You do not need to set this parameter for HTTP-POST single sign-on.
Example: AuthnRequest Link with ProtocolBinding
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&ProtocolBinding=urn:oasis: names:tc:SAML:2.0:bindings:HTTP-Artifact
After a user clicks the link at the Service Provider, the Federation Web Services application passes a request for an AuthnRequest message from the local Policy Server.
Optional Use of ProtocolBinding
When you do not use the ProtocolBinding query parameter the following applies:
Note: You do not need to HTTP-encode the query parameters.
Example: AuthnRequest Link without ProtocolBinding
This sample link goes to the AuthnRequest service. It specifies the Identity Provider in the ProviderID query parameter.
http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID= http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
After a user clicks the link at the Service Provider, the Federation Web Services application passes a request for an AuthnRequest message from the local Policy Server.
Indicates whether the SP forces the Identity Provider to authenticate a user even if there is an existing security context for that user.
Example
http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=idp.demo&ForceAuthn=yes
Specifies the target at the Service Provider. You can use the RelayState query parameter to indicate the target destination, but this method is optional. Instead, you can specify the target in the SAML 2.0 authentication scheme configured using the Policy Server User Interface. The authentication scheme also has an option to override the target with the RelayState query parameter if you choose.
You should URL-encode the RelayState value.
Example
http://www.spdemo.com:81/affwebservices/public/saml2authnrequest?ProviderID= idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp
Determines whether or not the Identity Provider can interact with a user. If this query parameter is set to true, the Identity Provider must not interact with the user. Additionally, the IsPassive parameter is included with the AuthnRequest sent to the Identity Provider. If this query parameter is set to false, the Identity Provider may interact with the user.
Example
http://www.spdemo.com:81/affwebservices/public/saml2authnrequest?ProviderID= idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp&IsPassive=true
Specifies the index of the endpoint acting as the assertion consumer. It tells the Identity Provider where to send the assertion response.
If you use this parameter in the AuthnRequest, you cannot include the ProtocolBinding parameter also. They are mutually exclusive.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |