How to implement SP Initiate SSO

Document ID : KB000115323
Last Modified Date : 19/09/2018
Show Technical Document Details
Question:
We plan to offer SP side services with the following configuration.
Is it possible to implement SP Initiate SSO (SAML 2.0)?

· Prepare a server that installed CA Access Gateway or Web Agent Option Pack.
· Web server containing Web Agent already exists and web application is running. (We are currently in Form authentication, but want to replace it with Federation authentication.)
· IDP will be provided in a separate environment.
When accessing an application on the Web server containing WebAgent in the SP Initiate, can you "redirect" to the IdP so that it can be authenticated regardless of "Any URL of the application is accessed"? .

In the manual, "SP-initiated SSO (SAML 2.0)" has the following description and it seems like it has to be accessed from "link syntax". I want to make it possible to authenticate, regardless of the site of the application that WebAgent is included, accessing in an unauthenticated state.

Docops:
https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/partnership-federation/urls-to-initiate-single-sign-on#URLstoInitiateSingleSign-on-SP-initiatedSSO(SAML2.0)

SP-initiated SSO (SAML 2.0)
SP-initiated SSO requires that you have an HTML code in your SP-side application containing hard-coded links to the AuthnRequest service of the Service Provider.

The Link is:
http://sp_server:port/affwebservices/public/saml2authnrequest?ProviderID=idp_id&ProtocolBinding=uri_of_binding&RelayState=target_URL
 
Environment:
SSO:CA Single Sign-On 12.7, 12.8
Answer:
The desired function can not be realized with only the product function.
However, it is possible to realize it by using the form customized with javascript etc. with the following FORM authentication.

There is a page describing the following SAML 2.0 authentication method.
https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/legacy-federation/configure-a-saml-2-0-service-provider

The operation flow is written in the part of "SAML Authentication Request Process". From the behavior described here, it does not automatically issue an authentication request, but it is necessary to pass the SAML assertion when accessing the protected realm.
To do this, you need to keep the protected domain URL with FORM authentication.
There is an INPUT tag of the hidden attribute named "target" in the login.fcc file, and the URL of the access destination (protected area URL) before redirecting to login.fcc is stored in that value, so it is possible to get that value in with javascript etc.

Please note that Support are not able to determine your customization implementation method and its validity because it is not within the scope of Support.
Additional Information:
Please note that Support are not able to determine your customization implementation method and its validity because it is not within the scope of Support.