15.7.7. Configuration of IDP-initiated SSO

Usually in PicketLink, the SP starts the flow by sending an authentication request to the IDP, which in turns sends an SAML response to SP with a valid assertion. This flow is called SP-initiated SSO. But the SAML 2.0 specs also defines another flow, called IDP-initiated or Unsolicited Response SSO. In this scenario, the SP does not initiate the authentication flow and receives an SAML response from the IDP. The flow starts on the IDP-side and once authenticated, the user can choose a specific SP from a list and then get redirected to its URL.


  1. User accesses the IDP.
  2. The IDP seeing that there is neither SAML request nor response, assumes an IDP first scenario using SAML.
  3. The IDP challenges the user to authenticate.
  4. Upon authentication, the IDP shows the hosted section where the user gets a page that links to all the SP applications.
  5. The user chooses an SP application.
  6. The IDP redirects the user to the service provider with an SAML assertion in the query parameter, SAML response.
  7. The SP checks the SAML assertion and provides access.

No special configuration is necessary to get Unsolicited Responses supported, you can configure your IDP and SPs as usual. For more information about how to configure IDP and SP, refer to:

How to Use

Once the user is authenticated, the IDP shows a page with links to all service provider applications. A link will usually look like this:

<a href="http://localhost:8080/idp?SAML_VERSION=2.0&TARGET=http://localhost:8080/sales-post/">Sales</a>
Note that the link above redirects the user to the IDP passing the TARGET query parameter, whose value is the URL to the target SP application. Once the user clicks the link above, the IDP extracts the TARGET parameter from the request, builds an SAML v2.0 response, and redirects the user to the target URL. When the user hits the SP, it is automatically authenticated.
You can use the SAML_VERSION query parameter to specify the SAML version that must be used by the IDP to create the SAML response. SAML_VERSION parameter can have the possible options as 2.0 and 1.1.