The Shibboleth SP does not have an application API per se, but the SessionInitiator mechanism does support a simple redirect protocol capable of triggering, and influencing, the creation of authentication requests.
This protocol supports a small set of query string parameters that correspond to identically named attributes that can be supplied either directly on a <SessionInitiator>
element or as content settings on a per-resource basis.
When a query string parameter is used, it overrides any other source of the same setting/property.
Not all SessionInitiator handlers support all the possible parameters. In fact, most are specific to the SAML2 handler. Unsupported parameters are ignored.
entityID
(URI)
target
(absolute URL)
homeURL
attribute for the application is used.acsIndex
(string)
index
value of the <md:AssertionConsumerService>
element to instruct the IdP to use in returning an assertion to the SP.forceAuthn
(boolean) (defaults to false) (SAML2
only)
ForceAuthn
attribute of the <samlp:AuthnRequest>
. This asks for forced reauthentication by the IdP (bypassing SSO).isPassive
(boolean) (defaults to false) (SAML2
and SAMLDS
only)
IsPassive
attribute of the <samlp:AuthnRequest>
or the IsPassive
parameter of the DS redirect.authnContextClassRef
(URI) (SAML2
only)
authnContextComparison
("exact", "minimum", "maximum", "better") (defaults to "exact") (SAML2
only)