Limitations of SAML in the Loginapp REST API

The following limitations apply to the SAML IDP and SP implementation:

Topic	Details
No mix of implementations	The SAML implementations of the JSP-Loginapp and the Loginapp REST API cannot be mixed. Not even using configuration context. In particular, a SAML IDP in the Loginapp REST API cannot be used with a SAML SP in the JSP-Loginapp.
forceAuthn flag	If the SAML AuthnRequest contains the flag `forceAuthn`, an existing user session is terminated and the user has to fully authenticate. This is the same behavior as used in the JSP-Loginapp's SAML implementation.
AuthnRequest flags	The following flags in the AuthnRequest are ignored: `isPassive`, `allowCreate` (same as in the JSP-Loginapp's SAML implementation).
No multi IDP	An Airlock IAM instance cannot host multiple SAML IDPs (each with a different configuration). Not even using configuration context.
Configuration contexts	The SAML IDP must be configured in the default configuration context.
SP-initiated SLO	In SP-initiated SLO (single logout), the first LogoutRequest to the IDP defines the binding (redirect or POST) for all SPs.
IDP-initiated SLO	In IDP-initiated SLO (single logout), the binding (redirect or POST) for all SPs is defined by the IDP.