How to do IdP-Initiated SSO with The OptimalCloud
In SP-Initiated SSO, the SP (Service Provider) generates an AuthnRequest that is sent to the IDP (Identity Provider) as the first step in the Federation process and the IDP then responds with a SAML Response. SP-Initiated SSO could be initiated by a login button within the Service Provider or when the user tries to access a protected area.
In IDP-Initiiated SSO the Federation process is initiated by the IDP sending an unsolicited Response to the SP. IdP-initiated SSO involves an authenticated user clicking a button in the IdP and being redirected to the Service Provider.
How can I setup IdP-Initiated SSO using The OptimalCloud?
SAML2 Protocol
When doing IdP-initiated SSO using The OptimalCloud for SAML2, you simply construct a URL that looks like this:
https://yourtenant.theoptimalcloud.com/v5.0/saml2/?spurn=[url-encoded URI]&target=[URL-encoded relay state]
Example:
https://yourtenant.theoptimalcloud.com/v5.0/saml2/?spurn=urn%3aMyApplication
The "spurn" parameter is the (URL-encoded) URI of the application you wish to access.
For SAML2 requests, you may send an optional parameter "target" (urlencoded). The "target" parameter will become the RelayState when using SAML2.
All URL Parameter values must be URL encoded. To obtain URL encoded versions of your values, go to the Tools Application on the Administration Tab of the OptimalCloud Portal. You can convert your value using the URL tools on the Encode/Decode tab.
WS-Federation Protocol
When doing IdP-initiated SSO using The OptimalCloud for WS-Federation, you simply construct a URL that looks like this:
https://yourtenant.theoptimalcloud.com/v5.0/wsfed/?spurn=[url-encoded URI]&target=[URL-encoded relay state]
Example:
https://yourtenant.theoptimalcloud.com/v5.0/wsfed/?spurn=urn%3aMyApplication
The "spurn" parameter is the (URL-encoded) URI of the application you wish to access.
All URL Parameter values must be URL encoded. To obtain URL encoded versions of your values, go to the Tools Application on the Administration Tab of the OptimalCloud Portal. You can convert your value using the URL tools on the Encode/Decode tab.
OpenID Connect Protocol
When doing IdP-initiated SSO using The OptimalCloud for OpenID Connect, you simply construct a URL that looks like this:
https://yourtenant.theoptimalcloud.com/v5.0/oidcp/?spurn=[url-encoded URI]&target=[URL-encoded relay state]
Example:
https://yourtenant.theoptimalcloud.com/v5.0/oidcp/?spurn=urn%3aMyApplication
The "spurn" parameter is the (URL-encoded) URI of the application you wish to access.
All URL Parameter values must be URL encoded. To obtain URL encoded versions of your values, go to the Tools Application on the Administration Tab of the OptimalCloud Portal. You can convert your value using the URL tools on the Encode/Decode tab.
Double IdP-Initiated SSO
In the event that you wish to do Double-IdP-initiated logins (where The OptimalCloud is the IdP to your application and The OptimalCloud is an application to an external IdP), then you can accomplish this by doing the following:
Send an HTTP POST to https://yourtenant.theoptimalcloud.com/v5.0/saml2/ (change to your cloud url)
The POSTed data would include the following 2 parameters:
- SAML2 Assertion
- RelayState in the format described below
The RelayState parameter must be in the following format:
idpinitiated:spurn=[url-encoded URN]&target=[url-encoded relaystate]
(The value must start with "idpinitiated:" then be followed by our standard "spurn" querystring as defined above.)
Here is a sample value where the application is "urn:saml2" and "foo" is the value to be passed to the application.
idpinitiated:spurn=urn%3Asaml2&target=foo
Since the POSTed RelayState parameter above is HTTP form data and not a query string parameter, most web APIs will need to url encode the entire RelayState parameter in the POSTed HTTP form, but that could vary depending on how it gets implemented.