Documentation
Users
Awards
Developers
Translation
Release plan
Mailinglists
Support
Download


Available in 1.5 1.6 trunk

Warning

You are browsing documentation for the development version of SimpleSAMLphp. You may want to go to the latest stable version of the documentation.

SimpleSAMLphp Identity Provider Advanced Topics

Table of Contents

1 AJAX iFrame Single Log-Out

If you have read about the AJAX iFrame Single Log-Out approach at Andreas' blog and want to enable it, edit your saml20-idp-hosted.php metadata, and add this configuration line for the IdP:

'logouttype' => 'iframe',

2 Attribute Release Consent

The attribute release consent is documented in a separate document.

3 Support for bookmarking the login page

Most SAML software crash fatally when users bookmarks the login page and returns later when the cached session information is lost. This is natural as the login page happens in the middle of a SAML transaction, and the SAML software needs some references to the request in order to be able to produce the SAML Response.

SimpleSAMLphp has implemented a graceful fallback to tackle this situation. When simpleSAMLphp is not able to lookup a session in the login process, it fall-backs to the IdP-first flow, described in next section, where the reference to the request is not needed.

What happens in the IdP-first flow is that an SAML unsolicited response is sent back to the SP. An unsolicited response is a SAML Response with no reference to a SAML Request (no InReplyTo field).

When an SimpleSAMLphp IdP fall-back to IdP-first flow, the RelayState parameter sent from the SP in the SAML request is also lost. The RelayState information contain a reference key for the SP to lookup where to send the user after successfull authentication. The SimpleSAMLphp Service Provider supports configuring a static URL to redirect the user after a unsolicited response is received. See more information about the RelayState parameter in the next section: IdP-first flow.

4 IdP-first flow

If you do not want to start the SSO flow at the SP, you may use the IdP-first setup. To do this, redirect the user to the SSOService endpoint on the IdP with one parameter spentityid that match the SP EntityId that the user should be logged into.

Here is an example of such an url:

https://sp.example.org/simplesaml/saml2/idp/SSOService.php?spentityid=dev.andreas.feide.no

When the IdP-first flow is used an extra parameter is needed in the saml20-sp-hosted metadata. This is the RelayState parameter that tells the SP which URL to redirect the user to after the user is successfully authenticated. This typically is the frontpage of your application. An example of this can be:

'RelayState' => '/',

5 IdP-initiated logout

IdP-initiated logout can be initiated by visiting the URL:

https://idp.example.org/simplesaml/saml2/idp/SingleLogoutService.php?ReturnTo=<URL to return to after logout>

It will send a logout request to each SP, and afterwards return the user to the URL specified in the ReturnTo parameter.