Front Channel Interface

This interface is used to perform the following operations:

Operations performed on user authentication

• Process a principal's credentials by IdP
• Select a required local user from local users pertaining to a specific FI

Federated identity (FI) management operations

• Associate a local account ID with a specific FI
• Detach a local account ID from a specific FI
• Change FI/global account properties

SP endpoint URL: SP_API_BASE_URL/ui

IdP endpoint URL: value of response_url

The two groups differ in the operation invocation conditions. For details, refer to the Authentication-related operations and FI Management Operations sections.

The operations differ by parameters that are sent from IdP to SP (called input parameters), and parameters that are sent back from SP to IdP (called output parameters). For each of the operations, IdP queries a principal with an operation-specific input dialog (hereafter called dialog) to retrieve output parameters. SP renders the user interface of a dialog and displays it to UA. Each operation has a corresponding user interface (HTML form) called IdP user interface.

Important: SPs must not add specific business logic to dialog logic, because dialog logic is subject to change.

The schema of each dialog is as follows:

1. IdP redirects UA to SP with input parameters:

   Destination URL is SP_API_BASE_URL/ui. The SP_API_BASE_URL is defined by the SP when it is registered in IdP. For details, refer to the Registering SP in IdP section.
   The following input parameters are sent for all operations:

   1. ui_type. Type of operation. Allowed values: idp_fi_detach, idp_fi_attach, idp_fi_update, idp_select_name, idp_login.
   2. response_url. URL to which SP must redirect UA after a user submits an HTML form provided by the SP.
   3. request_id . Request identifier. This parameter should be present in the output parameters list and should not be modified by SP.
   4. relay_state. RelayState parameter. For details on the parameter, refer to the 3.5.3 RelayState section of the Bindings for the OASIS Security Assertion Markup Language (SAML) v.2.0 document.

    

2. SP displays an HTML form using the input parameters. The form contains output parameters.
    
3. When the form is submitted, the output parameters are sent to IdP.
    
   If user has confirmed closing the dialog (e.g. pressed the "Submit" button), the output parameter confirmed with any non-empty value must be returned. IdP processes the HTML form data.
   
   If user has cancelled the dialog, the confirmed parameter should not be present (other parameters except request_id are ignored by IdP in this case).
   

When a dialog is finished, IdP performs one of the following actions:

• Redirects UA to the URL specified by the response_url parameter.
  
  This action is performed if a principal invoked one of FI management operations.
  
• Sends AuthnResponse SAML message.
  
  This action is performed if a principal opened a global session with IdP and has a single local account permitted to access a specific SP resource, or if the principal cannot be authenticated to IdP.
  
• Starts a new dialog.
  
  This action is performed if a principal has opened a global session with IdP and has multiple local accounts permitted to access a specific SP resource.

Note: Here we do not consider communication via the Back Channel interface.