The Shibboleth SP does not have an application API per se, but the SessionInitiator mechanism does support a simple redirect protocol capable of triggering, and influencing, the creation of authentication requests.

This protocol supports a small set of query string parameters that correspond to identically named attributes that can be supplied either directly on a <SessionInitiator> element or as content settings on a per-resource basis.

When a query string parameter is used, it overrides any other source of the same setting/property.

Not all SessionInitiator handlers support all the possible parameters. In fact, most are specific to the SAML2 handler. Unsupported parameters are ignored.

• entityID (URI)
  • The IdP to request authentication from.

• target (absolute URL)
  • The URL to return the user to after authenticating. If unspecified, the homeURL attribute for the application is used.

• acsIndex (string)
  • The index value of the <md:AssertionConsumerService> element to instruct the IdP to use in returning an assertion to the SP.

• forceAuthn (boolean) (defaults to false) (SAML2 only)
  • Establish a value for the ForceAuthn attribute of the <samlp:AuthnRequest>. This asks for forced reauthentication by the IdP (bypassing SSO).

• isPassive (boolean) (defaults to false) (SAML2 and SAMLDS only)
  • Establish a value for the IsPassive attribute of the <samlp:AuthnRequest> or the IsPassive parameter of the DS redirect.

• authnContextClassRef (URI) (SAML2 only)
  • Requests that a particular authentication context class be used by the IdP.

• authnContextComparison ("exact", "minimum", "maximum", "better") (defaults to "exact") (SAML2 only)
  • Indicates the required relationship between a requested context class and the resulting form of authentication. The Shibboleth 2.x IdP currently supports only "exact".