Version 4

    This article will be the one stop guide for the SAML v1.1 support in Project PicketLink. The main jira issue for this is

    Information on SAML v1.1


    SAML v1.1 support basically involves the IDP first scenario, unlike SAML v2.0 which involves the SP first scenarios.

    A Walk Through

    1. User accesses the IDP.
    2. The IDP seeing that there is neither SAML v2 request nor response, assumes a "IDP first scenario" using SAML v1.1
    3. The IDP challenges the user to authenticate.
    4. Upon authentication, the IDP shows the hosted section where you are displayed a page that links to all the service provider applications.
    5. The user chooses a SP application.
    6. The IDP redirects the user to the service provider with a SAML v1.1 assertion in the query parameter, SAMLResponse
    7. The Service Provider checks the SAML v1.1 assertion and provides access.


    Service Provider Support for SAML v1.1

    Since the user goes to the IDP first and then redirected back to a Service Provider via the TARGET query parameter,  you can obtain SAMLv1.1 specific behavior for web apps utilizing PicketLink by using SAML11SPRedirectFormAuthenticator (


    Picketlink v2 Builds