How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure IdP or SP initiated Single Sign On in AM (All versions)?

Last updated Sep 30, 2021

The purpose of this article is to provide information on configuring IdP or SP initiated Single Sign On (SSO) in AM.


2 readers recommend this article

Configuring IdP or SP initiated Single Sign On

There are two JSP pages that you can include in the URL that you are calling when a user logs in to initiate SSO depending on whether it is IdP or SP initiated: idpSSOInit.jsp or spSSOInit.jsp respectively. For example, the following URL would provide single sign on initiated by the SP:

https://sp.example.com:8443/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https%3A%2F%2Fidp.acme.com%3A8443%2Fopenam

Optionally, you can call the jsp using idpssoinit or spssoinit under the context root instead. For example, the following URL would provide single sign on initiated by the IdP:

https://idp.acme.com:8443/openam/idpssoinit?metaAlias=/idp&spEntityID=https%3A%2F%2Fsp.example%3A8443%2Fopenam

You can then specify the required parameters in the URL to control the resulting login behavior, using & to separate different parameters. See JSP Pages for SSO and SLO and SLO for further information on these parameters.

The metaAlias parameter must be included in an IdP or SP initiated login URL, and either the spEntityID parameter (for IdP initiated logins) or the idpEntityID parameter (for SP initiated logins):

  • metaAlias - this specifies the local alias for the provider in the format /realmname/providername. For the top level realm, exclude the realmname element, that is, just include /providername.
  • spEntityID - this specifies the remote service provider (for IdP initiated logins) and must be URL encoded, for example, for remote service provider https://sp.example:8443/openam, you would specify: https%3A%2F%2Fsp.example%3A8443%2Fopenam
  • idpEntityID - this specifies the remote identity provider (for SP initiated logins) and must be URL encoded.
Note

The initiating SAML entity provider (SP or IdP) must be hosted on the AM server called in the URL and the JSP page used must correspond to the entity type. 

See Also

How do I redirect to a specific page after a successful IdP or SP initiated login in AM (All versions)?

SP initiated login fails in Identity Cloud or AM (All versions) with Service Provider ID is null error

How do I configure IdP or SP initiated Single Logout in AM (All versions)?

FAQ: SAML federation in AM

SAML Federation in AM

JSP Pages for SSO and SLO

Related Training

ForgeRock Access Management Core Concepts (AM-400)

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.