The Intersite Transfer Service is used by an identity provider to provide authentication to occur at a service provider that it trusts. URLs for accessing the Intersite Transfer Service differ for each supported protocol (Liberty, SAML 1.1, and SAML 2.0). The Access Manager identity and service provider components use the following format of the Intersite Transfer Service URL:
<identity provider URL>?PID=<entityID>&TARGET=<final_destination_URL>
The <identity provider URL> is the location where the authentication request can be processed. For an Identity Server, the URL is the Base URL of the server that provides authentication, followed by the path to the protocol application being used for federation.
For example:
SAML 1.1: https://idp.sitea.novell.com:8443/nidp/saml/idpsend
SAML 2.0: https://idp.sitea.novell.com:8443/nidp/saml2/idpsend
Liberty: https://idp.sitea.novell.com:8443/nidp/idff/idpsend
If a third-party server provides the authentication, see the documentation for the format of this URL.
The <entityID> is the URL to the location of the metadata of the service provider. The scheme (http or https) in the <entityID> must match what is configured for the <identity provider URL>.
For SAML 1.1 and SAML 2.0, search the metadata for its entityID value. For Liberty, search the metadata for the providerID value. Access Manager Identity Servers acting as service providers have the following types of values:
SAML 1.1: https://idp.siteb.novell.com:8443/nidp/saml/metadata
SAML 2.0: https://idp.siteb.novell.com:8443/nidp/saml2/metadata
Liberty: https://idp.siteb.novell.com:8443/nidp/idff/metadata
If you are setting up federations with a third-party service provider, refer the documentation for the URL or location of its metadata.
The <final_destination_URL> is the URL to which the browser is redirected following a successful authentication at the identity provider. If this target URL contains parameters (for example, TARGET=https://login.provo.novell.com:8443/nidp/app?function_id=22166& amp;Resp_Id=55321 &Resp_App_Id=810&security_id=0), the URL must be encoded to prevent it from being truncated.
For example:
SAML 1.1: https://idp.sitea.novell.com:8443/nidp/saml/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml/metadata&TARGET=https://eng.provo.novell.com/saml1/myapp
SAML 2.0: https://idp.sitea.novell.com:8443/nidp/saml2/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml2/metadata&TARGET=https://eng.provo.novell.com/saml2/myapp
Liberty: https://idp.sitea.novell.com:8443/nidp/idff/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/idff/metadata&TARGET=https://eng.provo.novell.com/liberty/myapp
For more information, see Configuring an Intersite Transfer Service Target for a Service Provider.
If you configure an Intersite Transfer Service URL for an Identity Server that is the Access Manager Identity Server and the service provider is either another Identity Server or a third-party server, you can simplify the Intersite Transfer Service URL to the following format:
<identity provider URL>?id=<user_definedID>
For example:
SAML 2.0: https://test.blr.novell.com:8443/nidp/saml2/idpsend?id=testsaml2&TARGET=https://eng.provo.novell.com
SAML 1.1: https://testsb.blr.novell.com:8443/nidp/saml/idpsend?id=testsaml&TARGET=https://eng.provo.novell.com
Liberty: https://testsb.blr.novell.com:8443/nidp/idff/idpsend?id=libertytest&TARGET=https://eng.provo.novell.com
If the Allow any target option is enabled and if the Intersite Transfer Service URL has a target value, then the user is redirected to target URL.
The Intersite Transfer Service URL for SAML 2.0 will be https://testsb.blr.novell.com:8443/nidp/saml2/idpsend?id=testsaml2&TARGET=http://www.google.com where http://www.google.com is the target URL.
NOTE:Depending on the usage, the target parameter serves different purpose. It is case-sensitive.
target: Specifies the idpsend URL with a contract id.
TARGET: Specifies URL of the final destination.
Use case: If authentication with a particular contract is enabled in Intersite URL, you are redirected to the default target URL. Use the following format: http(s)://<$idp_host_name>/nidp/app?id=<$contract_to_be_executed>&target=http(s)://<$idp_host_name>/nidp/saml2/idpsend?id=<$saml_sp_identifier>.
For more information, see How to access an Identity Server Intersite Transfer URL with a specific contract.
NOTE:The contract_to_be_executed is executed by Identity Server and is case sensitive.
For example, https://www.idp.com:8443/nidp/app?id=npbasic&target=https://www.idp.com:8443/nidp/saml2/idpsend?id=serviceprovider1.
In the above example, identity provider authentication is done with the contract id npbasic. You are now redirected to the service provider by using the saml_sp_identifier id (serviceprovider1). After authentication (if configured with persistent federation), the page redirects you to the available default target, or to the nidp login page of the service provider.
For configuration and ID information, see Configuring an Intersite Transfer Service Target for a Service Provider.
In the Intersite Transfer Service URL, id can be used for the following purposes:
To simplify the intersite URL.<identity provider URL>?id=<user_definedID>
To execute a particular contract in Identity Server login service with intersite URL.
http(s)://<$idp_host_name>/nidp/app?id=<$contract_to_be_executed>&target=http(s)://<$idp_host_name>/nidp/saml2/idpsend?id=<$saml_sp_identifier>