From a532329c5d798fae71ea1772efefb25926dbf88b Mon Sep 17 00:00:00 2001 From: Olav Morken <olav.morken@uninett.no> Date: Fri, 5 Aug 2011 13:44:13 +0000 Subject: [PATCH] Clean up and expand the IdP first section in the documentation. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2880 44740490-163a-0410-bde0-09ae8108e29a --- docs/simplesamlphp-idp-more.txt | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/docs/simplesamlphp-idp-more.txt b/docs/simplesamlphp-idp-more.txt index 1f1e5fba4..25fcaf049 100644 --- a/docs/simplesamlphp-idp-more.txt +++ b/docs/simplesamlphp-idp-more.txt @@ -46,11 +46,36 @@ If you do not want to start the SSO flow at the SP, you may use the IdP-first se Here is an example of such an url: - https://sp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=dev.andreas.feide.no + https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=dev.andreas.feide.no -When the IdP-first flow is used an extra parameter is needed in the `saml20-sp-hosted` metadata. This is the `RelayState` parameter that tells the SP which URL to redirect the user to after the user is successfully authenticated. This typically is the frontpage of your application. An example of this can be: +You can also add a RelayState parameter to the IdP-first URL: - 'RelayState' => '/', + https://idp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=urn:mace:feide.no:someservice&RelayState=https://sp.example.org/somepage + +The RelayState parameter is often uset do carry the URL the SP should redirect to after authentication. + + +### IdP first with SAML 1.1 + +A SAML 1.1 SP does not send an authentication request to the IdP, but instead triggers IdP initiated authentication directly. +If you want to do it manually, you can access the following URL: + + https://idp.example.org/simplesaml/shib13/idp/SSOService.php?providerId=urn:mace:feide.no:someservice&shire=https://sp.example.org/acs-endpoint&target=https://sp.example.org/somepage + +The parameters are as follows: + +`providerID` +: The entityID of the SP. + This parameter is required. + +`shire` +: The AssertionConsumerService endpoint of the SP. + This parameter is required. + +`target` +: The target parameter the SP should receive. + This is often the page the user should be sent to after authentication. + This parameter is optional for the IdP, but must be specified if the SP you are targeting is running simpleSAMLphp SP. IdP-initiated logout -- GitLab