SAML SP URLs

The following table provides an overview of all relevant URLs when using Airlock IAM as a SAML service provider (SP).

The SAML SP endpoint URLs are new for IAM 7.7.

However, old SAML endpoint URLs (< IAM 7.7) are still supported such that existing remote IDPs do not have to be reconfigured.Loginapp UI

SAML SP-related URLs

Note that the following URLs depend on the SAML configuration, except for some URLs for internal use and Loginapp UI-related standard URLs.

For URLs with metaAlias, the examples provided in this online help use iamSp and must be adapted to the actual alias.
All URLs are specified relative to the Airlock IAM context path, e.g., https://iam.host.com/auth/.

Type	HTTP method	URL	Meaning
Browser	`POST\|GET`	`/saml2/sp/sso/metaAlias/xyz`	Endpoint to consume redirect and POST SSO requests, as published in the SP's XML metadata AssertionConsumerService element.
	`POST\|GET`	`/SPAcs/[metaAlias/xyz]` (legacy URL, do not use for new setups)
	`POST\|GET`	`/saml2/sp/slo/metaAlias/xyz`	Endpoint to consume redirect and POST SLO requests, as published in the SP's XML metadata SingleLogoutService element.
	`POST\|GET`	`/SPSloResponder/metaAlias/xyz` (legacy URL, do not use for new setups)
	`GET`	`/saml2/sp/sso/init`	Internal URL Used when an authentication flow initiates an SP-initiated SSO in order to redirect and POST to the IdP.
	`GET`	`/saml2/sp/slo/init`	Internal URL Used when an authentication flow initiates an SP-initiated SLO in order to redirect/POST to the IdP.
	`GET`	`/saml2/sp/slo/continue`	Internal URL Used during single-logout to redirect/POST the browser back to the IdP.
IAM Loginapp UI	`GET`	`/ui/app/auth/logout`	Standard Loginapp UI logout URL UI URL to start a logout, e.g., on the SP. Depending on the SAML SP configuration, this might result in only a local or single logout.
	`GET`	`/ui/app/error/message`	Standard Loginapp error URL URL for Loginapp UI error messages.
	`GET`	`/ui/app/auth/saml2/sp/sso/init`	Internal URL UI URL to start an authentication flow after receiving an SSO request from the IdP.
REST	`POST`	`/rest/public/authentication/saml2/sp/sso/init`	Endpoint that processes a received SSO request or response from the IdP in the Authentication Flow.
REST	`DELETE`	`/rest/public/authentication`	Standard REST logout URL REST URL for logout. Depending on the SAML SP configuration, this might result in only a local or single logout.

The documented Legacy URLs are still supported by Loginapp UI and correspond to the URLs used in Airlock IAM versions 7.6 and older.

Use them if there are existing SPs that rely on the URLs and you do not want to change the SP configuration.

Make sure to use an up-to-date Airlock Gateway mapping template file (from IAM 8.0 or newer) and activate the SAML allow rule.

Further information and links

Internal links:
SAML SP configuration for the Loginapp REST API