This article will be the one stop guide for the SAML v1.1 support in Project PicketLink. The main jira issue for this is https://issues.jboss.org/browse/PLFED-189
Information on SAML v1.1
SAML v1.1 support basically involves the IDP first scenario, unlike SAML v2.0 which involves the SP first scenarios.
A Walk Through
- User accesses the IDP.
- The IDP seeing that there is neither SAML v2 request nor response, assumes a "IDP first scenario" using SAML v1.1
- The IDP challenges the user to authenticate.
- Upon authentication, the IDP shows the hosted section where you are displayed a page that links to all the service provider applications.
- The user chooses a SP application.
- The IDP redirects the user to the service provider with a SAML v1.1 assertion in the query parameter, SAMLResponse
- The Service Provider checks the SAML v1.1 assertion and provides access.
Service Provider Support for SAML v1.1
Since the user goes to the IDP first and then redirected back to a Service Provider via the TARGET query parameter, you can obtain SAMLv1.1 specific behavior for web apps utilizing PicketLink by using SAML11SPRedirectFormAuthenticator (https://issues.jboss.org/browse/PLFED-200)