Limitations
17.2.6.10. Limitations of the SAML IDP in the Loginapp REST API

The following limitations apply to the SAML IDP implementation:

Topic
Details
No mix of implementations
The SAML implementations of the JSP-Loginapp and the Loginapp REST API cannot be mixed. Not even using configuration context.
In particular, a SAML IDP in the Loginapp REST API cannot be used with a SAML SP in the JSP-Loginapp.
forceAuthn flag
If the SAML AuthnRequest contains the flag forceAuthn, an existing user session is terminated and the user has to fully authenticate. This is the same behavior as used in the JSP-Loginapp's SAML implementation.
AuthnRequest flags
The following flags in the AuthnRequest are ignored: isPassive, allowCreate (same as in the JSP-Loginapp's SAML implementation).
No multi IDP
An Airlock IAM instance cannot host multiple SAML IDPs (each with a different configuration). Not even using configuration context.
Configuration contexts
The SAML IDP must be configured in the default configuration context.
SP-initiated SLO
In SP-initiated SLO (single logout), the first LogoutRequest to the IDP defines the binding (redirect or POST) for all SPs.
IDP-initiated SLO
In IDP-initiated SLO (single logout), the binding (redirect or POST) for all SPs is defined by the IDP.