Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

The Shibboleth SP does not have an application API per se, but the SessionInitiator mechanism does support a simple redirect protocol capable of triggering, and influencing, the creation of authentication requests.

This protocol supports a small set of query string parameters that correspond to identically named attributes that can be supplied either directly on a <SessionInitiator> element or as content settings on a per-resource basis.

When a query string parameter is used, it overrides any other source of the same setting/property.

Not all SessionInitiator handlers support all the possible parameters. In fact, most are specific to the SAML2 handler. Unsupported parameters are ignored.

  • entityID (URI)
    • The IdP to request authentication from.
  • target (absolute URL)
    • The URL to return the user to after authenticating. If unspecified, the homeURL attribute for the application is used.
  • acsIndex (string)
    • The index value of the <md:AssertionConsumerService> element to instruct the IdP to use in returning an assertion to the SP.
  • forceAuthn (boolean) (defaults to false) (SAML2 only)
    • Establish a value for the ForceAuthn attribute of the <samlp:AuthnRequest>.
  • isPassive (boolean) (defaults to false) (SAML2 and SAMLDS only)
    • Establish a value for the IsPassive attribute of the <samlp:AuthnRequest> or the IsPassive parameter of the DS redirect.
  • authnContextClassRef (URI) (SAML2 only)
    • Requests that a particular authentication context class be used by the IdP.
  • authnContextComparison ("exact", "minimum", "maximum", "better") (defaults to "exact") (SAML2 only)
    • Indicates the required relationship between a requested context class and the resulting form of authentication. The Shibboleth 2.0 IdP only supports "exact".
  • No labels