Page tree
Skip to end of metadata
Go to start of metadata

Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the <SSO> shorthand element.

Indicated by type="Form", this initiator displays an HTML template containing a form to prompt the user for the entityID to use. As a discovery handler, no entityID can be known (or the handler will silently ignore the request, since discovery would serve no purpose).

This is a simple substitute for referring the user to another site, which is generally incapable of addressing scenarios involving multiple sets of unrelated IdPs. This handler can be combined with the Transform SessionInitiator to enable the user's input to be turned from something simpler into an entityID.


Common Attributes

The following may be specified for all types of Session Initiator






Plugin type name.

Location relative path
The location of the SessionInitiator (when combined with the base handlerURL). This is the location to redirect to when manually initiating a session using the Initiator protocol (query string)
id stringoptional Identifies a SessionInitiator so that it can be referenced by the requireSessionWith content setting.
isDefault boolean

If true, establishes the default SessionInitiator used implicitly for content protected with the requireSession content setting. If none are labeled, the first is implicitly the default.

entityID URI

If set, establishes an assumed IdP to use for authentication, if none is passed explicitly with a query string parameter or overridden via content settings.

relayState string

Controls how information associated with the session request, primarily the original resource accessed, is preserved for the completion of the authentication process. Overrides the like-named attribute in the <Sessions> element.

acsIndex string

This matches the index of the <md:AssertionConsumerService> element to use for the return message from the IdP.
This setting is optional and best avoided, in favor of letting the software automatically select the first compatible endpoint.

entityIDParam string

Optional, advanced setting for overriding the name of the query string parameter used to override the IdP to use. Normally "entityID" and "providerId" are the parameter names supported. This is provided for supporting unusual application requirements.

target URL
Allows the resources to return to after SSO to be "locked" to a specific value, even when running as a result of active protection of other resources. In other words, this value overrides the actual resource location when SSO redirection is automatic, including initial access and after a timeout.

one of
true, false, front, back

See Signing&Encryption. Controls outbound signing of XML messages and content subject to applicability to the protocol involved.
encryption See Signing&Encryption. Controls outbound encryption of XML messages and content subject to applicability to the protocol involved.
externalInput booleantrue

Allows handlers to disallow the use of externally supplied parameters / input to drive them. The specific settings this influences will vary by handler, and by default the full range of settings supported can be supplied from outside the SP, typically using query string parameters or form submission. For particularly sensitive or important options, this setting can be used to block that support. This primarily applies to the "SAML2" handler but may be honored by any handler as it deems appropriate.

Specific Attributes





templatelocal pathnamerequired

Path to the HTML template to display.

Query String Parameters 

The following can be provided via the Initiator Protocol

Common Parameters

The protocol independent parameters are

Parameter Name

Parameter Value Type


entityID URI

The IdP to request authentication from.

target absolute URL

The URL to return the user to after authenticating. If unspecified, the homeURL attribute for the application is used.

acsIndex stringThe index value of the <md:AssertionConsumerService> element to instruct the IdP to use in returning an assertion to the SP
authnContextClassRef whitespace-delimited URIsRequests that particular authentication context classes be used by the IdP.

Specific Parameters

There are no protocol specific parameters

  • No labels