17.2.6.4. SAML IDP URLs

The following table provides an overview of all relevant URLs when using Airlock IAM as SAML identity provider (IDP).

The SAML IDP endpoint URLs are new for IAM 7.6.

However, old SAML endpoint URLs are still supported such that existing remote SPs do not have to be reconfigured when migrating the IDP from the JSP-Loginapp to the Loginapp REST UI.

SAML IDP URLs

Note that the URLs depend on the SAML configuration, especially the configured metaAlias (which is iamIdP in the templates provided in this documentation).

All URLs are specified relative to the Airlock IAM context path (e.g. https://iam.host.com/auth/).

URL scheme
Meaning
Examples
/saml2/idp/sso/metaAlias/xyz
SSO endpoint for redirect binding.
https://iam.host.com/auth/saml2/idp/sso/metaAlias/iamIdp
/saml2/idp/sso/metaAlias/xyz
SSO endpoint for POST binding.
https://iam.host.com/auth/saml2/idp/sso/metaAlias/iamIdp
/saml2/idp/resolve-artifact/metaAlias/xyz
Artifact resolution endpoint.
https://iam.host.com/auth/saml2/idp/resolve-artifact/metaAlias/iamIdp
/saml2/idp/slo/metaAlias/xyz
SLO endpoint for POST- and redirect binding.
https://iam.host.com/auth/saml2/idp/slo/metaAlias/iamIdp
/ui/app/error/message
SAML error page in the Loginapp REST UI.
Can be defined in configuration for custom web UIs.
https://iam.host.com/auth/ui/app/error/message

Make sure to use an up-to-date Airlock Gateway mapping template file (7.6 or newer) and activate the SAML allow rule.

Legacy URLs

The documented Legacy URLs are still supported and correspond to the URLs used in Airlock IAM versions 7.5 and older (in the JSP-Loginapp).

Use them if there are existing SPs that rely on the URLs and you do not want to change the SP configuration.

URL scheme
Meaning
Examples
/SSORedirect/metaAlias/xyz
SSO endpoint for redirect binding.
https://iam.host.com/auth/SSORedirect/metaAlias/iamIdp
/SSOPOST/metaAlias/xyz
SSO endpoint for POST binding.
https://iam.host.com/auth/SSOPOST/metaAlias/iamIdp
/ArtifactResolver/metaAlias/xyz
Artifact resolution endpoint.
https://iam.host.com/auth/ArtifactResolver/metaAlias/iamIdp
/IDPSloRedirect/metaAlias/xyz
SLO endpoint for POST- and redirect binding.
https://iam.host.com/auth/IDPSloRedirect/metaAlias/iamIdp
/ui/app/error/message
SAML error page in the Loginapp REST UI.
Can be defined in configuration for custom web UIs.
https://iam.host.com/auth/ui/app/error/message