Setting up IDP initiated SSO
To get IDP initiated SSO working, please download the SP metadata from here and import into your IDP.
There is no need to specify a RelayState inside your IDP configuration - after a successful federation the user will be redirected to the protected page in any case.
You can however make use of the RelayState to control the color of the protected page. Read this to learn how this works.
Setting up SP initiated SSO
You really should have IDP initiated SSO working before proceeding. If you skipped that part, at least you should have downloaded the SAML metadata (see above) and imported it into your IDP by now.
To get SP initiated SSO working, please upload your IDP metadata file by either pasting it into the text area below or selecting it for upload directly. As a result you will be shown a URL with a unique ID in it. This URL is your unique logon URL that will always map to your IDP. Accessing this unique URL will send a SAML AuthNRequest to your IDP - so please bookmark it. Should you forget the URL, simply upload your metadata again and try to not loose the URL this time :-)
If you uploaded your IDP metadata and after you successfully authenticated into the site, a persistent cookie will be set that contains the IDP identifier. This is used to trigger a SAML AuthNRequest if you access the protected page in the future.
It also will enable the " AuthNRequest Wizard" after the first successful authentication. You'll see it in the menu bar at the top of the page.
A word about SAML Attributes
All attributes that are inside a SAML attribute statement will be displayed.
The protected page tries to display a greeting in the form of
"Hello <firstname> <lastname>"
To get the <firstname> and/or <lastname> populated, it'll try to find an attribute called "givenname" or "firstname" for <firstname> and "sn", "lastname", "surname" or "name" for <lastname>. All this totally ignores the case of the attribute name, so
GiVeNnAmE are all the
same (if you think
GiVeNnAmE is a good idea... we salute you!).
If no appropriate attribute(s) can be found, the NameID will be used to greet the federated user.
Use RelayState to control the color theme
If you do want to use a relay state, here is a cool feature: you can control how the protected page will look like using the relay state.
Just set the RelayState your IDP is sending to the name of the color theme e.g.
Supported color themes are: grey black blue purple indigo light-blue and... pink
If you like to play with the colors you can manually add the "color" URL parameter after you federated into the protected site and see the result without having to re-configure your IDP e.g. https://sptest.iamshowcase.com/protected?color=black
Authentication Request Wizard
With this page you can create a custom SAML Authentication Request.
By default it'll create a request identical to the one used to do normal SP initiated login (you clicking on the " Protected Page" link).
With the wizard you can add an AuthenticationContextClassRef to request a certain authentication method from the IDP.
You can also add a NameID (Subject) to the Authentication Request to let the IDP know you already did the primary authentication.
It is also possible to set the ForceAuthn flag to tell the IDP to ignore any SSO session that might exist and challenge the user not matter what.