SessionInitiator

Ā 

Advanced Configuration

Note, this is an advanced configuration feature. Most deployments can rely on the <SSO> shorthand element.

TheĀ <SessionInitiator>Ā element is used to configure handlers that are responsible for initiating the process of authentication to the SP and establishing a session with it. This represents what single sign-on architecture refers to as an "SP-initiated" flow, where a browser starting at the application end needs to be referred to the IdP to login and then return with the appropriate information to login.

The specifics of the authentication request process vary by protocol, and the internal SessionInitiator API allows the SP to be extended with many request protocols. The handler is responsible for all of the details associated with making the request.

A special characteristic of this kind of handler is that it often runs implicitly as a result of the first access to a protected resource (e.g. when theĀ requireSessionĀ content settingĀ is in effect). For other kinds of use cases, such as the "passive/lazy session" feature that enables an application to defer the creation of a session, a simple (and extensible) protocol is implemented local to the SP software to enable applications to invoke these handlers using a standard HTTP redirect with a query string. See theĀ Initiator-ProtocolĀ section below).

The ability to configure multiple SessionInitiator handlers and to combine them in chains allows the deployer to control the selection of particular SSO protocols when more than one can be used, and to implement various approaches toĀ IdPDiscoveryĀ (the process of figuring out which IdP to use in a federated environment).

Types of SessionInitiators

Broadly speaking, there are two kinds of SessionInitiators:Ā protocol handlersĀ andĀ discovery handlers.

A protocol handler requires that the name of an IdP (that is, its entityID) be supplied to the handler so that its metadata can be obtained to determine whether and where it supports a particular protocol. TheĀ entityIDĀ can be supplied in a number of ways, including viaĀ query string, a hardcodedĀ <SessionInitiator>Ā attribute, or via aĀ content settingĀ applied to the resource.

By contrast, a discovery handler requires that the IdPĀ notĀ be known, and is responsible for interacting with the browser in some way to determine the IdP to use. It can do this in any way it wants to, such as examining cookies, interacting with the user, or by redirecting the browser to some other server.

Specific Initiators are defined by the type= attribute, each type specifies its own attributes as well as the common ones.Ā  Some initiators allow child elements.Ā  The following types are available by default.Ā  More may be added as plugins

Common Attributes

Initiator Protocol

The Shibboleth SP does not have an application API per se, but theĀ SessionInitiatorĀ mechanism supports a simple redirect protocol capable of triggering, and influencing, the creation of authentication requests.

This protocol supports a small set of query string parameters that correspond to identically named attributes that can be supplied either directly on aĀ <SessionInitiator>Ā element or asĀ content settingsĀ on a per-resource basis.

When aĀ query string parameter is used, it overrides any other source of the same setting/property.

Common Query String ParametersĀ 

Not allĀ SessionInitiatorĀ handlers support all the possible parameters. Query String Parameters which are specific to a protocol are listed under the Session Initiator.

Examples

The redirection examples shown are illustrated by way of the HTTP Location header that would be returned to a client by an application. Refer to your programming environment's documentation for information on how to generate redirects and produce such a header. Note that you should always be sure to URL-encode any parameter values that you append.

The examples also assume that aĀ SessionInitiatorĀ exists at the location "/Login", which is the usual default.

The most common scenario is to simply ask for a login while providing a resource to return the client to afterwards. Typically, this is the resource from which the redirect is generated.

Request a Session and Return to https://sp.example.org/resource.asp
Location: https://sp.example.org/Shibboleth.sso/Login? target=https%3A%2F%2Fsp.example.org%2Fresource.asp

Another common case is to specify the IdP to use. This is a simple way to implement user selection of an IdP from among a small set, for example clicking on a choice of logos. Not coincidentally, theĀ SAMLDSĀ handler is implemented by routing the result of the discovery process back to itself with theĀ entityIDĀ parameter set.

Request a Session Using the IdP Named https://idp.example.org/idp/shibboleth
Location: https://sp.example.org/Shibboleth.sso/Login? target=https%3A%2F%2Fsp.example.org%2Fresource.asp& entityID=https%3A%2F%2Fidp.example.org%2Fidp%2Fshibboleth