An unsolicited SSO can be done by sending a valid SAML response message to the address:
https://www.example.com/uas/saml2/SessionRelayService?entityID=urn:uuid:3A97e9cf6b-5218-4cb8b0b9-bab5d35e6c9b&RelayState=/insert/home/page/here&locale=sv |
where:
You can map this address to a nicer shorter URL using any other tools (by redirect).
SessionRelayService calls can also be chained:
https://sso.example.com/uas/saml2/SessionRelayService?entityID=https://sso.example.com/uas/saml2/names/ac/saml.companyx.1&RelayState=/uas/saml2/SessionRelayService?entityID=urn:uuid:6c524df0-4625-32a8-87ef-705b3523e4b2%26RelayState=/app/protected |
The WS-Federation Passive Requester Profile is used for initiating a login request. A request is formed at the PassiveRequestorService endpoint:
https://www.example.com/uas/wsf/PassiveRequestorService?wa=wsignin1.0&wtrealm={entityID} |
The available parameters are:
This optional parameter indicates the freshness requirements. If specified, this indicates the desired maximum age of authentication specified in minutes. If specified as “0” it indicates a request for the IP/STS to re-prompt the user for authentication before issuing the token. This is equivalent to OAuth2 max_age or SAML2 NotOnOrBefore concepts.
Example 1 - requesting Finnish language Christmas template login with forced reauthentication and password.1 method only
https://www.example.com/uas/wsf/PassiveRequestorService?wa=wsignin1.0&wtrealm={entityID}&locale=sv&template=christmas&wfresh=0&whr=password.1 |
Example 2 - requesting Finnish language Christmas template login with any valid session using any method that has the class of urn:oasis:names:tc:SAML:2.0:ac:classes:Password. If there is more than one method, a selection menu will be shown
https://www.example.com/uas/wsf/PassiveRequestorService?wa=wsignin1.0&wtrealm={entityID}&locale=sv&template=christmas&wauth=urn:oasis:names:tc:SAML:2.0:ac:classes:Password |
If a user has a session and is permitted to use the application, the user will be redirect to the application with a valid assertion.
Because the WS-Federation request is not signed and is thus easily spoofed by any party, the integrated application should check and compare each value of the response to ensure it met the requested parameters.
For OAuth2 applications, use the Authorization Request URL to initiate the process and acr_values to select the desired authentication method.
https://sso.example.com/uas/oauth2/authorization?response_type=code&scope=openid&client_id=2001221477 &redirect_uri=https://client.example.com/response&state=40e1bfc0-4587-4859-be08-a58e3fffa37a&max_age=0&prompt=login&display=popup&ui_locales=en&acr_values=2&login_hint=user@example.com |
You may also want to use visual panels to communicate related information, tips or things users need to be aware of. |
|