Federation › Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Set Up Links at the IdP or SP to Initiate Single Sign-on › Service Provider-initiated SSO (POST or artifact binding) › Query Parameter Processing by a SiteMinder IdP
Query Parameter Processing by a SiteMinder IdP
If single sign-on is initiated by a Service Provider, that Service Provider may include a ForceAuthn or IsPassive query parameter in an AuthnRequest message.
When a Service Provider includes ForceAuthn or IsPassive in the AuthnRequest, a SiteMinder Identity Provider handles these query parameters as follows:
ForceAuthn Handling
When a Service Provider includes ForceAuthn=True in the AuthnRequest, a SiteMinder Identity Provider does the following:
- If ForceAuthn=True in the AuthnRequest message, and a SiteMinder session exists for a particular user, the SiteMinder Identity Provider re-challenges the user for credentials. If the user successfully authenticates, the IdP sends the identity information from the existing session in the assertion and discards the session generated for the re-authentication.
- If ForceAuthn=True in the AuthnRequest message and there is no SiteMinder session, the SiteMinder IdP challenges the user for credentials. If the user successfully authenticates, a session is established.
IsPassive Handling
When a Service Provider includes IsPassive in the AuthnRequest and it cannot be honored by the Identity Provider, one of the following SAML responses is sent back to the Service Provider:
- If IsPassive=True in the AuthnRequest message and there is no SiteMinder session, a SiteMinder Identity Provider returns a SAML response that includes an error message because SiteMinder requires a session.
- If IsPassive=True in the AuthnRequest message and there is a SiteMinder session, the SiteMinder Identity Provider returns the assertion.
- If IsPassive and ForceAuthn are in the AuthnRequest message and both are set to True, the SiteMinder Identity Provider returns an error because this is an invalid request. IsPassive and ForceAuthn are mutually exclusive.
