OpenAM spSSOInit.jsp Parameters

spSSOInit.jsp Used to initiate SSO from the service provider side, so call this on the service provider not the identity provider. This is also mapped to the endpoint spssoinit under the context root.

Examples: http://www.sp.example:8080/openam/saml2/jsp/spSSOInit.jsp,http://www.sp.example:8080/openam/spssoinit

spSSOInit.jsp Parameters :

idpEntityID

(Required) Use this parameter to indicate the remote identity provider. Make sure you URL encode the value. For example, specify idpEntityID=http://www.idp.example:8080/openam asidpEntityID=http%3A%2F%2Fwww.idp.example%3A8080%2Fopenam.

metaAlias

(Required) Use this parameter to specify the local alias for the provider, such as metaAlias=/myRealm/sp. This parameter takes the format /realm-name/provider-name as described in MetaAlias. You do not repeat the slash for the top level realm, metaAlias=/sp.

affiliationID

(Optional) Use this parameter to specify a SAML affiliation identifier.

AllowCreate

(Optional) Use this parameter to indicate whether the identity provider can create a new identifier for the principal if none exists (true) or not (false).

AssertionConsumerServiceIndex

(Optional) Use this parameter to specify an integer that indicates the location to which the Response message should be returned to the requester.

AuthComparison

(Optional) Use this parameter to specify a comparison method to evaluate the requested context classes or statements. OpenAM accepts the following values: betterexactmaximum, and minimum.

AuthnContextClassRef

(Optional) Use this parameter to specify authentication context class references. Separate multiple values with pipe characters (|).

AuthnContextDeclRef

(Optional) Use this parameter to specify authentication context declaration references. Separate multiple values with pipe characters (|).

AuthLevel

(Optional) Use this parameter to specify the authentication level of the authentication context that OpenAM should use to authenticate the user.

binding

(Optional) Use this parameter to indicate what binding to use for the operation. For example, specifybinding=HTTP-POST to use HTTP POST binding with a self-submitting form. In addition to binding=HTTP-POST, you can also use binding=HTTP-Artifact.

Destination

(Optional) Use this parameter to specify a URI Reference indicating the address to which the request is sent.

ForceAuthN

(Optional) Use this parameter to indicate whether the identity provider should force authentication (true) or can reuse existing security contexts (false).

isPassive

(Optional) Use this parameter to indicate whether the identity provider should authenticate passively (true) or not (false).

NameIDFormat

(Optional) Use this parameter to specify a SAML Name Identifier format identifier such asurn:oasis:names:tc:SAML:2.0:nameid-format:persistent, or urn:oasis:names:tc:SAML:2.0:nameid-format:transient.

RelayState

(Optional) Use this parameter to specify where to redirect the user when the process is complete. Make sure you URL encode the value. For example, RelayState=http%3A%2F%2Fopenam.forgerock.org takes the user tohttp://openam.forgerock.org.

RelayStateAlias

(Optional) Use this parameter to specify the parameter to use as the RelayState. For example, if your query string has target=http%3A%2F%2Fopenam.forgerock.org&RelayStateAlias=target, this is like settingRelayState=http%3A%2F%2Fopenam.forgerock.org.

reqBinding

(Optional) Use this parameter to indicate what binding to use for the authentication request. Valid values in include urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect (default) andurn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST.

sunamcompositeadvice

(Optional) Use this parameter to specify a URL encoded XML blob that specifies the authentication level advice.

2 thoughts on “OpenAM spSSOInit.jsp Parameters

  • Pingback: Using Transient Federation Identifiers in OpenAM

  • January 10, 2014 at 10:32 am
    Permalink

    Hi

    I have developed an application as SP using OpenAM fedlet. Single Sign on is working fine and Single Sign out also happening from Idp (Idp is

    SimpleSAMLPHP).

    But Im facing one issue, when I have connected two SP’s and do single sign out its successfully signed out from Idp but the local session for second SP

    still exists and able to access the site even after logged out of Idp.

    I assume that for each request in SP should validate whether valid session exists in Idp, but I’m unable to find how to do with OpenAM fedlet.

    Can you please give me some valuable input to signout local session of SP when signout is happened from any other SP.

    Or how to re-validate the session index for each and every request to client application

    Regards
    Arjun S

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *