| Note | |
|---|---|
| title | Advanced ConfigurationNote, this is an advanced configuration feature. Most deployments can rely on the |
| Table of Contents | ||
|---|---|---|
|
The <SessionInitiator> element is used to configure handlers that are responsible for initiating the process of authentication to the SP and establishing a session with it. This represents what single sign-on architecture refers to as an "SP-initiated" flow, where a browser starting at the application end needs to be referred to the IdP to login and then return with the appropriate information to login.
...
A special characteristic of this kind of handler is that it often runs implicitly as a result of the first access to a protected resource (e.g. when the requireSession content setting is in effect). For other kinds of use cases, such as the "passive/lazy session" feature that enables an application to defer the creation of a session, a simple (and extensible) protocol is implemented local to the SP software to enable applications to invoke these handlers using a standard HTTP redirect with a query string. See the Initiator-Protocol section below).
The ability to configure multiple SessionInitiator handlers and to combine them in chains allows the deployer to control the selection of particular SSO protocols when more than one can be used, and to implement various approaches to IdPDiscovery (the process of figuring out which IdP to use in a federated environment).
...
A protocol handler requires that the name of an IdP (that is, its entityID) be supplied to the handler so that its metadata can be obtained to determine whether and where it supports a particular protocol. The entityID can be supplied in a number of ways, including via query string, a hardcoded <SessionInitiator> attribute, or via a content setting applied to the resource.
...
Specific Initiators are defined by the type= attribute, each type specifies its own attributes as well as the common ones. Some initiators allow child elements. The following types are available by default. More may be added as plugins
Common Attributes
| Include Page | ||||
|---|---|---|---|---|
|
Initiator Protocol
The Shibboleth SP does not have an application API per se, but the SessionInitiator mechanism supports a simple redirect protocol capable of triggering, and influencing, the creation of authentication requests.
...
Not all SessionInitiator handlers support all the possible parameters. Query String Parameters which are specific to a protocol are listed under the Session Initiator.
| Include Page | ||||
|---|---|---|---|---|
|
Examples
The redirection examples shown are illustrated by way of the HTTP Location header that would be returned to a client by an application. Refer to your programming environment's documentation for information on how to generate redirects and produce such a header. Note that you should always be sure to URL-encode any parameter values that you append.
...
The most common scenario is to simply ask for a login while providing a resource to return the client to afterwards. Typically, this is the resource from which the redirect is generated.
...
...
Request a Session and Return to https://sp.example.org/resource.asp
| Code Block |
|---|
Location: https://sp.example.org/Shibboleth.sso/Login? target=https%3A%2F%2Fsp.example.org%2Fresource.asp |
Another common case is to specify the IdP to use. This is a simple way to implement user selection of an IdP from among a small set, for example clicking on a choice of logos. Not coincidentally, the SAMLDS handler is implemented by routing the result of the discovery process back to itself with the entityID parameter set.
...
...
Request a Session Using the IdP Named https://idp.example.org/idp/shibboleth
| Code Block |
|---|
Location: https://sp.example.org/Shibboleth.sso/Login? target=https%3A%2F%2Fsp.example.org%2Fresource.asp& entityID=https%3A%2F%2Fidp.example.org%2Fidp%2Fshibboleth |
...