15.7.7. Configuration of IDP-initiated SSO

download PDF
Usually in PicketLink, the SP starts the flow by sending an authentication request to the IDP, which in turns sends an SAML response to SP with a valid assertion. This flow is called SP-initiated SSO. But the SAML 2.0 specs also defines another flow, called IDP-initiated or Unsolicited Response SSO. In this scenario, the SP does not initiate the authentication flow and receives an SAML response from the IDP. The flow starts on the IDP-side and once authenticated, the user can choose a specific SP from a list and then get redirected to its URL.


  1. User accesses the IDP.
  2. The IDP seeing that there is neither SAML request nor response, assumes an IDP first scenario using SAML.
  3. The IDP challenges the user to authenticate.
  4. Upon authentication, the IDP shows the hosted section where the user gets a page that links to all the SP applications.
  5. The user chooses an SP application.
  6. The IDP redirects the user to the service provider with an SAML assertion in the query parameter, SAML response.
  7. The SP checks the SAML assertion and provides access.

No special configuration is necessary to get Unsolicited Responses supported, you can configure your IDP and SPs as usual. For more information about how to configure IDP and SP, refer to:

How to Use

Once the user is authenticated, the IDP shows a page with links to all service provider applications. A link will usually look like this:

<a href="http://localhost:8080/idp?SAML_VERSION=2.0&TARGET=http://localhost:8080/sales-post/">Sales</a>
Note that the link above redirects the user to the IDP passing the TARGET query parameter, whose value is the URL to the target SP application. Once the user clicks the link above, the IDP extracts the TARGET parameter from the request, builds an SAML v2.0 response, and redirects the user to the target URL. When the user hits the SP, it is automatically authenticated.
You can use the SAML_VERSION query parameter to specify the SAML version that must be used by the IDP to create the SAML response. SAML_VERSION parameter can have the possible options as 2.0 and 1.1.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.