Federation › Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Set Up Links at the IdP or SP to Initiate Single Sign-on › Identity Provider-initiated SSO (POST or artifact binding) › Unsolicited Response Query Parameters Used by a SiteMinder IdP

Unsolicited Response Query Parameters Used by a SiteMinder IdP

An unsolicited response that initiates single sign-on from the IdP can include the following query parameters:

• SPID
• ProtocolBinding
• RelayState

SPID

(Required) Specifies the ID of the Service Provider where the Identity Provider sends the unsolicited response.

ProtocolBinding

Specifies the ProtocolBinding element in the unsolicited response. This element specifies the protocol used when sending the assertion response to the Service Provider. If the Service Provider is not configured to support the specified protocol binding, the request will fail.

Required Use of the ProtocolBinding Query Parameter

Use of the ProtocolBinding query parameter is required only if artifact and POST binding are enabled for the Service Provider properties and the user wants to only use artifact binding.

• The URI for the artifact binding, as specified by the SAML 2.0 specification is:

  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

• The URI for the POST binding, as specified by the SAML 2.0 specification is:

  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

  You do not need to set this parameter for HTTP-POST single sign-on.

Note: You do not need to HTTP-encode the query parameters.

Example: Unsolicited Response with ProtocolBinding

This link redirects the user to the Single Sign-on service. Included in this link is the Service Provider identity, specified by the SPID query parameter and the artifact binding is being used, as specified by the bindings query parameter. After the user clicks this hard coded link, they are redirected to the local Single Sign-on service.

http://idp-ca:82/affwebservices/public/saml2sso?SPID=http%3A%2F%2Ffedsrv.acme.com
%2Fsmidp2for90&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

Optional Use of the ProtocolBinding Query Parameter

When you do not use the ProtocolBinding query parameter the following applies:

• If only one binding is enabled for the Service Provider and the ProtocolBinding is not specified in the unsolicited response, the enabled binding is used.
• If both bindings are enabled for the Service Provider and the ProtocolBinding is not specified in the unsolicited response, the POST binding is used by default.

  Example: Unsolicited Response without ProtocolBinding

  This link redirects the user to the Single Sign-on service. Included in this link is the Service Provider identity, specified by the SPID query parameter. There is no ProtocolBinding query parameter. After the user clicks this hard coded link, they are redirected to the local Single Sign-on service.

  http://fedsrv.fedsite.com:82/affwebservices/public/saml2sso?SPID=
  http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90
  

RelayState

Specifies the target at the Service Provider. You can use the RelayState query parameter to indicate the target destination; however, this method is optional because there may be a configuration mechanism at the Service Provider itself to indicate the target.

You should URL-encode the RelayState value.

Example

http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID=
http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&
RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp