Configure IdPs and SPs with journeys

For IdP-initiated SSO in integrated mode, you must configure the hosted SP to send the user to an authentication journey after validating the SAML 2.0 assertion from the IdP. This lets you validate the IdP and perform SAML 2.0 authentication on the SP side.

You can also define additional actions the user must fulfill, such as performing multi-factor authentication (MFA) or checking organizational details before accessing the SAML 2.0 application.

Include a Scripted Decision node in the journey and query the samlApplication binding to access the assertion and response details, which you can then use to validate the IdP.

If a local authentication URL is configured, it takes precedence, but Advanced Identity Cloud doesn’t validate that the specified journey exists on the hosted SP.

If you haven’t configured a journey in either setting, an IdP-initiated SSO SAML flow results in an invalid request error.

For SP-initiated SSO, the flow continues in the originating journey, ignoring any redirect journey configured on the hosted SP.

To configure a redirect journey:

Configure the remote SP so that a specific authentication journey is always run for users authenticating with your SAML 2.0 app. The federation flow invokes the associated journey ignoring any existing sessions or authentication context requirements.

To configure a SAML 2.0 app journey, enable the option to Use a journey to authenticate users to this application when you set up single sign-on.

When you configure an app journey, the processing of the SAML 2.0 request depends on the authentication context requested by the SP. The following table shows the SAML response for each comparison type and the requested authentication context.