Page tree
Skip to end of metadata
Go to start of metadata

IDP Initiated SSO using SAML2

An unsolicited SSO can be done by sending a valid SAML response message to the address:


  • entityID has to be application objects entityID from Ubisecure SSO Management UI
  • RelayState is relative address on target application server where browser is redirected(so called deep linking)
  • locale is users used language (optional)
  • isPassive true/false (optional, default false)
  • forceAuthn true/false (optional, default false)
  • oneTimeUse true/false (optional, default false)
  • template - SSO UI template to be used (optional)

You can map this address to a nicer shorter URL using any other tools (by redirect).

SessionRelayService calls can also be chained:

WS-Federation Passive Requester Profile

The WS-Federation Passive Requester Profile is used for initiating a login request. A request is formed at the PassiveRequestorService endpoint:{entityID}

The available parameters are:

  • wa is always ”wsignin1.0” (mandatory)
  • wtrealm is the entityID of the target application (mandatory)
  • wctx allows for the passing and return of RelayState (optional)
  • wreply is not used by Ubisecure SSO (optional)
    • This OPTIONAL parameter specifies the URL to which responses will be sent. It must be a one of a list of pre-configured URL in the metadata.
  • wauth
    • This OPTIONAL parameter indicates the REQUIRED authentication level.  It is equiavelent to SAML2 AuthnContextClassRef.
      • e.g. wauth=urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  • whr (optional) specifies the desired authentication method (equiavelent to SAML2 AuthnContextDeclRef). It can be specified in short form (method name) or long form (URI)
    • whr=password.1
    • whr=
  • wfresh (optional)
    • This optional parameter indicates the freshness requirements.  If specified, this indicates the desired maximum age of authentication specified in minutes. If specified as “0” it indicates a request for the IP/STS to re-prompt the user for authentication before issuing the token. This is equivalent to OAuth2 max_age or SAML2 NotOnOrBefore concepts.

  • locale (optional)
    • locale=fi
  • template (optional)
    • Set the user interface template
    • template=christmas

Example 1 - requesting Finnish language Christmas template login with forced reauthentication and password.1 method only{entityID}&locale=sv&template=christmas&wfresh=0&whr=password.1

Example 2 - requesting Finnish language Christmas template login with any valid session using any method that has the class of urn:oasis:names:tc:SAML:2.0:ac:classes:Password. If there is more than one method, a selection menu will be shown{entityID}&locale=sv&template=christmas&wauth=urn:oasis:names:tc:SAML:2.0:ac:classes:Password

If a user has a session and is permitted to use the application, the user will be redirect to the application with a valid assertion.

Because the WS-Federation request is not signed and is thus easily spoofed by any party, the integrated application should check and compare each value of the response to ensure it met the requested parameters.

OAuth2 Applications

For OAuth2 applications, use the Authorization Request URL to initiate the process and acr_values to select the desired authentication method.