This interface is used to perform the following operations:
Operations performed on user authentication
Federated identity (FI) management operations
SP endpoint URL: SP_API_BASE_URL
IdP endpoint URL: value of
The two groups differ in the operation invocation conditions. For details, refer to the Authentication-related operations and FI Management Operations sections.
The operations differ by parameters that are sent from IdP to SP (called input parameters), and parameters that are sent back from SP to IdP (called output parameters). For each of the operations, IdP queries a principal with an operation-specific input dialog (hereafter called dialog) to retrieve output parameters. SP renders the user interface of a dialog and displays it to UA. Each operation has a corresponding user interface (HTML form) called IdP user interface.
Important: SPs must not add specific business logic to dialog logic, because dialog logic is subject to change.
The schema of each dialog is as follows:
Destination URL is SP_API_BASE_URL
/ui. The SP_API_BASE_URL is defined by the SP when it is registered in IdP. For details, refer to the Registering SP in IdP section.
The following input parameters are sent for all operations:
ui_type. Type of operation. Allowed values: idp_fi_detach, idp_fi_attach, idp_fi_update, idp_select_name, idp_login.
response_url. URL to which SP must redirect UA after a user submits an HTML form provided by the SP.
request_id. Request identifier. This parameter should be present in the output parameters list and should not be modified by SP.
relay_state. RelayState parameter. For details on the parameter, refer to the 3.5.3 RelayState section of the Bindings for the OASIS Security Assertion Markup Language (SAML) v.2.0 document.
confirmedwith any non-empty value must be returned. IdP processes the HTML form data.
confirmedparameter should not be present (other parameters except
request_idare ignored by IdP in this case).
When a dialog is finished, IdP performs one of the following actions:
Note: Here we do not consider communication via the Back Channel interface.