On the OpenID Provider Info screen, administrators may define request parameters under Request Parameters for the following purposes:

  • Allow custom request parameters to be include in the authentication requests to support OP-specific use cases.
  • Define the default values for the request parameters.
  • Specify whether the default values (if any) can be overridden at runtime.
  • Allow the target application to request different scopes at runtime. (Note that the OP may reject the requested scopes based on its client configuration.)
  • Protect the requested authentication request (acr_values), the authentication requirement (prompt), or both so that none of them can be overridden at runtime by the application endpoint parameters (RequestedAuthnCtx, IsPassive, and ForceAuthn).

Follow these steps to define one or more request parameters:

  1. Add a request parameter under Name.
  2. Define a default parameter value under Value.
    Optional if the target application is allowed to override the parameter value at runtime. When no default value is specified, any value provided by the target application is accepted by the /sp/startSSO.ping SP application endpoint. If the target application does not provide the parameter in its SSO URL (and no default value is specified), the parameter is not included in the authentication requests.

    Required if the target application is not allowed to override the parameter value at runtime.

    When specified, the request parameter is always included in the authentication requests. If the target application is not allowed to override the parameter value at runtime, the default value is sent.

  3. Select the check box under Application Endpoint Override if the target application is allowed to override the parameter value at runtime.

    If the target application does not provide the parameter in its SSO URL and the configuration does not include a default value, the parameter is not included in the authentication requests.

    If the target application does not provide the parameter in its SSO URL, the default value (if any) is used.

    If the target application provides the parameter in its SSO URL to the /sp/startSSO.ping SP application endpoint, the value in the SSO URL is used.

    Note that the /sp/init_login.ping SP protocol endpoint does not accept overridden values. (The login_hint parameter is the only exception.) The default value (if any) is used. See the note at the end for more information.

  4. Click Add.
    Use the Edit, Update, and Cancel workflow to make or undo a change. Use the Delete and Undelete workflow to remove an entry or cancel the removal request.
  5. Repeat these steps to define another request parameters.

Consider the following sample configuration:

Request Parameters
  • The hd parameter is defined with a default value that cannot be overridden at runtime. The parameter is always included in the authentication requests and the value is always example.org.
  • The customMultiValued parameter is defined with two default values that cannot be overridden at runtime. This multivalued parameter is always included in the authentication requests. The values are always as defined.
  • The customOverridableOne parameter is defined with a default value that can be overridden at runtime. This parameter is always included in the authentication requests. If the target application provides the parameter in its SSO URL, the value in the SSO URL is used. If the target application does not provide the parameter in its SSO URL, the default value is used.

    To override the value, configure the target application to append the request parameter and the desired value to the SSO Application Endpoint, as shown on the Summary & Activation screen; for example:

    https://sso.example.com/sp/startSSO.ping?PartnerIdpId=https%3A%2F%2Fsso.alpha.local%3A9031& customOverridableOne=foo

    To construct a multivalued request parameter, append the request parameter multiple times with different values; for example:

    https://sso.example.com/sp/startSSO.ping?PartnerIdpId=https%3A%2F%2Fsso.alpha.local%3A9031& customOverridableOne=foo & customOverridableOne=bar

    (https%3A%2F%2Fsso.alpha.local%3A9031 is the URL-encoded value of https://sso.alpha.local:9031, the issuer value of the OP.)

  • The customOverridableTwo parameter is defined without a default value; therefore, any value provided by the target application in the SSO URL is accepted. To include this parameter in the authentication requests to the OP, configure the target application to append the request parameter and the desired value to the SSO Application Endpoint.

    To construct a multivalued request parameter, append the parameter multiple times with different values.

    If the target application does not provide the parameter in its SSO URL, the parameter is not included in the authentication requests.

  • The scope (standard) parameter is defined with a value matching that of the Scopes field (on the same screen) and with the option to allow the target application to override the value at runtime. In essence, the target application is allowed to dynamically change the scope it requires at runtime by appending the scope parameter and the desired scopes to the SSO Application Endpoint.

    Note that while the target application can request different scopes, the OP may reject the requested scopes based on its client configuration. Work with the OP to understand which scopes are applicable to your use case to prevent runtime errors.

  • The acr_values (standard) parameter is defined with a default value that cannot be overridden at runtime. As a result, the RequestedAuthnCtx parameter (if supplied in the SSO URL by the target application) is ignored. In the authentication requests, the value of the acr_values parameter is always set to the default value specified in the configuration. Define the acr_values parameter if you want to protect the requested authentication context from the target application.
  • The prompt (standard) parameter is defined with a default value of login that cannot be overridden at runtime. As a result, the target application will not be able to suppress the reauthentication requirement by including IsPassive=true in the SSO URL. In the authentication requests, the value of the prompt parameter is always set to login.

    Similarly, if the prompt parameter is defined with a default value of none that cannot be overridden at runtime, the target application will not be able to request the end users to reauthenticate by including ForceAuthn=true in the SSO URL. In the authentication requests, the value of the prompt parameter is always set to none.

Note:

These examples use the /sp/startSSO.ping SP application endpoint. As needed, you may also use the /sp/init_login.ping SP protocol endpoint to invoke the Third Party Initiated Login flow. For more information, see View SP protocol endpoints.

Important:

ßß

For information about URL encoding, please refer to third party resources, such as HTML URL-encoding Reference (www.w3schools.com/tags/ref_urlencode.asp).