OpenAM spSingleLogoutInit.jsp Parameters

spSingleLogoutInit.jsp is used to initiate SLO from the service provider side, so call this on the service provider not

spSingleLogoutInit.jsp Parameters : 
binding
(Required) Use this parameter to indicate what binding to use for the operation. For example, specifybinding=HTTP-POST to use HTTP POST binding with a self-submitting form rather than the default HTTP redirect binding. In addition to binding=HTTP-POST, you can also use binding=HTTP-Artifact.

idpEntityID
(Required for Fedlets) Use this parameter to indicate the remote identity provider. If the binding is not set, then OpenAM uses this parameter to find the default binding. Make sure you URL encode the value. For example, specify idpEntityID=http://www.sp.example:8080/openam asidpEntityID=http%3A%2F%2Fwww.idp.example%3A8080%2Fopenam.

NameIDValue
(Required for Fedlets) Use this parameter to indicate the SAML Name Identifier for the user.

SessionIndex
(Required for Fedlets) Use this parameter to indicate the sessionIndex of the user session to terminate.

Consent
(Optional) Use this parameter to specify a URI that is a SAML Consent Identifier.

Destination
(Optional) Use this parameter to specify a URI Reference indicating the address to which the request is sent.

Extension
(Optional) Use this parameter to specify a list of Extensions as string objects.

goto
(Optional) Use this parameter to specify where to redirect the user when the process is complete. RelayStatetakes precedence over this parameter.

RelayState
(Optional) Use this parameter to specify where to redirect the user when the process is complete. Make sure you URL encode the value. For example, RelayState=http%3A%2F%2Fopenam.forgerock.org takes the user tohttp://openam.forgerock.org.

spEntityID
(Optional, for Fedlets) Use this parameter to indicate the Fedlet entity ID. When missing, OpenAM uses the first entity ID in the metadata.

Example 11.1. SSO & SLO From the Service Provider

The following URL takes the user from the service provider side to authenticate at the identity provider and then come back to the end user profile page at the service provider after successful SSO. Lines are folded to show you the query string parameters.

1
2
3
http://www.sp.example:8080/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp
&idpEntityID=http%3A%2F%2Fwww.idp.example%3A8080%2Fopenam
&RelayState=http%3A%2F%2Fwww.sp.example%3A8080%2Fopenam%2Fidm%2FEndUser

The following URL initiates SLO from the service provider side, leaving the user at http://openam.forgerock.org.

1
2
3
http://www.sp.example:8080/sp/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp
&idpEntityID=http%3A%2F%2Fdesktop.example.example%3A8080%2Fopenam
&RelayState=http%3A%2F%2Fopenam.forgerock.org

 

Procedure 11.13. To Indicate Progress During SSO

During SSO log in, OpenAM presents users with a self-submitting form when access has been validated. This page is otherwise blank. If you want to present users with something to indicate that the operation is in progress, then customize the necessary templates.

  1. Modify the templates to add a clue that SSO is in progress, such as an image.

    Edit the templates found in OpenAM sources, saml2login.template and saml2loginwithrelay.template.

    When you add an image or other presentation element, make sure that you retain the form and JavaScript as is. Also, as the files are templates, what you add must be static HTML.

  2. Unpack openam-server-10.2.0-SNAPSHOT.war, and add your modified template files under WEB-INF/classes/where you unpacked the .war.

    Also include any images you reference in the page.

  3. Pack up your custom version of OpenAM, and then deploy it in your web container.

 

Leave a Reply

Your email address will not be published. Required fields are marked *