IdP Interfaces

IdP implements Authentication Request and SAML Single Logout protocols. To access IdP functionality that is not covered by the protocols, SPs must use Back Channel and Front Channel programming interfaces. These two groups of interfaces differ in a way the data is transferred between the entities.

For direct communication between SP and IdP, Back Channel interfaces are used. Each interface has a specific endpoint URL to which SP or IdP issues an HTTP GET/PUT/DELETE request with specific parameters, and retrieves a response. Refer to the corresponding sections of the HTTP 1.1 Protocol Specification for details on the HTTP methods.

For communications between user agents (UA) and IdP, the Front Channel interface is used. The interface has a specific endpoint URL which is used to exchange data between IdP and UA via POST HTTP Binding. For details on the binding model, refer to the 3.5 HTTP POST Binding section of the Bindings for the OASIS Security Assertion Markup Language (SAML) v.2.0 document.

To use the interfaces, SP must be authenticated to IdP. It means that it must be registered in IdP and have a valid certificate issued by the IdP. For details on registering SP in IdP, refer to the Registering SP in IdP section.

Note: It is supposed that the prefix to all IdP interface endpoints IDP_API_BASE_URL is known to SP administrators.