SAML SP URLs

The following table provides an overview of all relevant URLs when using Airlock IAM as a SAML service provider (SP).

The SAML SP endpoint URLs are new for IAM 7.7.

However, old SAML endpoint URLs are still supported such that existing remote IDPs do not have to be reconfigured when migrating the SP from the JSP-Loginapp to the Loginapp REST UI.

SAML SP URLs

Note that the URLs depend on the SAML configuration, especially the configured metaAlias (which is iamSp in the templates provided in this documentation).

All URLs are specified relative to the Airlock IAM context path (e.g. https://iam.host.com/auth/).

Type		URL scheme	Meaning
Browser	`GET`	`/saml2/sp/sso/init`	SP-initiated SSO
	`POST\|GET`	`/saml2/sp/sso/metaAlias/xyz`
	`GET`	`/saml2/sp/slo/init`	SP initiated SLO
	`POST\|GET`	`/saml2/sp/slo/metaAlias/xyz`
	`GET`	`/saml2/sp/slo/continue`	Continue SSO after return from IDP
SPA	`GET`	`/ui/app/auth/saml2/sp/sso/init`	Proxy to call SP-initiated SSO
	`GET`	`/ui/app/auth/logout`	Proxy to call SP-initiated SLO
	`GET`	`/ui/app/error/message`	Error URL
REST	`POST`	`/rest/public/authentication/saml2/sp/sso/init`	Continue AuthN Flow during SSO
REST	`DELETE`	`/rest/public/authentication`

Make sure to use an up-to-date Airlock Gateway mapping template file (7.6 or newer) and activate the SAML allow rule.

Further information and links

SAML SP configuration for the Loginapp REST API