Specifying the Intersite Transfer Service URL for the Login URL Option

Liberty and SAML 2.0 support a single sign-on URL. Because SAML 1.1 does not support a single sign-on URL, you need to specify the Intersite Transfer Service URL in the Login URL option on the authentication card for the SAML 1.1 identity provider:

Figure 2-22 SAML 1.1 Authentication Card

For a card to appear as a login option, specify a Login URL and select the Show Card option. Figure 2-23 illustrates a possible configuration that requires the Intersite Transfer Service for SAML 1.1.

Figure 2-23 Federated Identity Configuration

If you want a card to appear that allows the user to log in to Site A (as shown in Figure 2-22), you need to specify a value for the Login URL option.

Using the DNS names from Figure 2-23, the complete value for the Login URL option is as follows:

https://idp.sitea.example.com:8443/nidp/saml/idpsend?PID=https://idp.siteb.example.com:8443/nidp/saml/metadata&TARGET=https://idp.siteb.example.com:8443/nidp/app

The following actions occur when this link is invoked:

  1. The browser performs a Get to the identity provider (Site A).

  2. If the identity provider (Site A) trusts the service provider (Site B), the identity provider prompts the user for authentication information and builds an assertion.

  3. The identity provider (Site A) sends the user to the service provider (Site B), using the POST or Artifact method.

  4. The service provider (Site B) consumes the assertion and sends the user to the TARGET URL (the user portal on Site B).

For more information, see Modifying the Authentication Card for SAML 1.1.