7.22. SAML2 JSP Endpoints

You can find the endpoints described in this section in the saml2/jsp subdirectory. As of this writing, some of these endpoints are not used in the current implementation of OpenAM. Active endpoints in this category are discussed in the chapter on Managing SAML2 Federation in the Administration Guide.

default.jsp

May be used by other files to return a success or failure message. While the default.jsp name is common in the trunk, the jsp/default.jsp filename is used only by SPSingleLogout.java, which is not commonly used.

exportmetadata.jsp

Supports the export of XML-based metadata with other providers within a circle of trust (CoT). Currently used. For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

fedletAttrQuery.jsp

Supports the configuration of SAML attribute query headers.

fedletAttrResp.jsp

Supports the configuration of SAML attribute response headers.

fedletSSOInit.jsp

Previously used to start single sign-on at the Fedlet.

fedletSampleApp.jsp

Specifies a sample fedlet application that can be removed in production.

fedletXACMLQuery.jsp

Enables a sample SAML XACML query handler; used for testing, to prompt users to specify a resource URL along with an action (GET, POST).

fedletXACMLResp.jsp

Retrieves a sample SAML XACML resource URL for a yes, no, or maybe decision (PERMIT, DENY, or INDETERMINATE).

idpMNIPOST.jsp

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP redirect.

idpMNIRedirect.jsp

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular JSP file processes a request from an IDP through an HTTP redirect. It uses a metadata-based alias, an entity ID for the service provider, and the type of MNI request; examples include NewID and terminate.

idpMNIRequestInit.jsp

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. As described in the Managing SAML2 Federation in the Administration Guide chapter of the Administration Guide, it allows you to change federation of persistently linked accounts. The chapter also includes an example of this endpoint at work.

idpSSOFederate.jsp

Specifies an endpoint that takes authentication requests from an SP, with a SAMLRequest data, a metaAlias and a RelayState with information from the target URL.

idpSSOInit.jsp

Specifies an endpoint that starts SSO, either from cache, or by verifying metaAlias and SP identifier data.For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

idpSingleLogoutInit.jsp

Starts a LogoutRequest from the identity provider.For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

idpSingleLogoutPOST.jsp

Specifies an endpoint that receives logout requests from IDPs and receives logout responses from SPs. Also sends logout responses to SPs.

idpSingleLogoutRedirect.jsp

Takes the SAMLRequest and SAMLResponse messages for logouts from the SP. May also handle the RelayState directive.

SA_IDP.jsp

Used for SAML authentication for communication with identity providers (IDPs).

SA_SP.jsp

Used for SAML authentication for communication with service providers (SPs).

saeerror.jsp

Returns an error message related to Secure Attribute Exchange (SAE). Currently used only by the SA_IDP.jsp and SA_SP.jsp endpoints.

saml2error.jsp

Endpoint that may return one of many error codes, specified in the comments of the file.

spAssertionConsumer.jsp

Used on a SP, to interpret information from an IDP. The request to the IDP is an AuthnRequest; the response from the IDP is read by this endpoint.

spMNIPOST.jsp

The MNI in several JSP files relate to ManageNameID, which sets up corresponding accounts on IDPs and SPs. This particular endpoint takes the associated request, using an HTTP Redirect, from a SP. Less commonly used.

spMNIRedirect.jsp

This particular endpoint handles the ManageNameIDRequest and ManageNameIDRespnose messages with the help of HTTP Redirect. Less commonly used.

spMNIRequestInit.jsp

This particular endpoint supports changes to federation of persistently linked accounts, in a fashion similar to idpMNIRequestInit.jsp. For an example of this endpoint in work, see the chapter on Managing SAML2 Federation in the Administration Guide.

spSSOInit.jsp

Supports SSO messages from the SP. For more information and an example of how this endpoint is used, see the chapter on Managing SAML2 Federation in the Administration Guide.

spSingleLogoutInit.jsp

Supports SSO messages from the SP. For more information, see the chapter on Managing SAML2 Federation in the Administration Guide.

spSingleLogoutPOST.jsp

Specifies an endpoint that receives logout requests from SPs and receives logout responses from IDPs. Also sends logout responses to IDPs. Converse endpoint to idpSingleLogoutPOST.jsp.

spSingleLogoutRedirect.jsp

Takes the SAMLRequest and SAMLResponse messages for logouts from the IDP. May also handle the RelayState directive. Converse endpoint to idpSingleLogoutRedirect.jsp.