How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I configure IdP or SP initiated Single Sign On in Identity Cloud or AM (All versions)?

Last updated Jan 16, 2023

The purpose of this article is to provide information on configuring IdP or SP initiated Single Sign On (SSO) in ForgeRock Identity Cloud or AM.


2 readers recommend this article

Configuring IdP or SP initiated Single Sign On

There are two JSP pages that you can include in the URL that you are calling when a user logs in to initiate SSO depending on whether it is IdP or SP initiated: idpSSOInit.jsp or spSSOInit.jsp respectively. For example, the following URL would provide single sign on initiated by the SP:

https://sp.example.com:8443/am/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https%3A%2F%2Fidp.example.com%3A8443%2Fam

Optionally, you can call the jsp using idpssoinit or spssoinit under the context root instead. For example, the following URL would provide single sign on initiated by the IdP:

https://idp.example.com:8443/am/idpssoinit?metaAlias=/idp&spEntityID=https%3A%2F%2Fsp.example%3A8443%2Fopenam

You can then specify the required parameters in the URL to control the resulting login behavior, using & to separate different parameters. See JSP pages for SSO and SLO (Identity Cloud) or JSP pages for SSO and SLO (AM) for further information on these parameters.

The metaAlias parameter must be included in an IdP or SP initiated login URL, and either the spEntityID parameter (for IdP initiated logins) or the idpEntityID parameter (for SP initiated logins):

  • metaAlias - this specifies the local alias for the provider in the format /realmname/providername. For the top level realm, exclude the realmname element, that is, just include /providername.
  • spEntityID - this specifies the remote service provider (for IdP initiated logins) and must be URL encoded. For example, for remote service provider https://sp.example:8443/am, you would specify: https%3A%2F%2Fsp.example%3A8443%2Fopenam
  • idpEntityID - this specifies the remote identity provider (for SP initiated logins) and must be URL encoded.
Note

The initiating SAML entity provider (SP or IdP) must be hosted on the Identity Cloud or AM server called in the URL, and the JSP page used must correspond to the entity type.

See Also

How do I redirect to a specific page after a successful IdP or SP initiated login in Identity Cloud or AM (All versions)?

SP initiated login fails in Identity Cloud or AM (All versions) with Service Provider ID is null error

How do I configure IdP or SP initiated Single Logout in Identity Cloud or AM (All versions)?

FAQ: SAML2 federation in AM

SAML 2.0 federation in Identity Cloud

SAML 2.0 federation in AM

SSO and SLO in standalone mode (Identity Cloud)

SSO and SLO in standalone mode (AM)

Related Training

ForgeRock Access Management Deep Dive (AM-410)

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.