There are two JSP pages that you can include in the URL that you are calling when a user logs in to initiate SSO depending on whether it is IdP or SP initiated: idpSSOInit.jsp or spSSOInit.jsp respectively. For example, the following URL would provide single sign on initiated by the SP:https://sp.example.com:8443/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https%3A%2F%2Fidp.acme.com%3A8443%2Fopenam
Optionally, you can call the jsp using idpssoinit or spssoinit under the context root instead. For example, the following URL would provide single sign on initiated by the IdP:https://idp.acme.com:8443/openam/idpssoinit?metaAlias=/idp&spEntityID=https%3A%2F%2Fsp.example%3A8443%2Fopenam
You can then specify the required parameters in the URL to control the resulting login behavior, using & to separate different parameters. See JSP Pages for SSO and SLO and SLO for further information on these parameters.
The metaAlias parameter must be included in an IdP or SP initiated login URL, and either the spEntityID parameter (for IdP initiated logins) or the idpEntityID parameter (for SP initiated logins):
- metaAlias - this specifies the local alias for the provider in the format /realmname/providername. For the top level realm, exclude the realmname element, that is, just include /providername.
- spEntityID - this specifies the remote service provider (for IdP initiated logins) and must be URL encoded, for example, for remote service provider https://sp.example:8443/openam, you would specify: https%3A%2F%2Fsp.example%3A8443%2Fopenam
- idpEntityID - this specifies the remote identity provider (for SP initiated logins) and must be URL encoded.