Adding parameter to redirect request to IdP

fabio · June 4, 2025, 4:25pm

Hello,
I need to connect my web app to a SiteMinder Idp.
My client told me that I have to add a parameter He needs in the initial redirect.

instead of this
https://idp-site/affwebservices/public/saml2sso

I have to use
https://idp-site/affwebservices/public/saml2sso?SPID=https://server.test.net.intra/fatca

Adding this SPID value.

Now, to start the authentication process I use

SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);

What do I have to do now to add the SPID value?

thank you
Fabio

ComponentSpace · June 4, 2025, 10:12pm

Hi Fabio,

If the SPID query string value doesn’t change, this can be included in the SSO service URL in your SAML configuration.

For example:

<PartnerIdentityProvider 
    Name="https://idp-site"
    SingleSignOnServiceUrl="https://idp-site/affwebservices/public/saml2sso?SPID=https://s02v09939634.fr.net.intra/fatca"
    <PartnerCertificates>
    <Certificate FileName="Certificates\siteminder.cer"/>
    </PartnerCertificates>
</PartnerIdentityProvider>

However, if the SPID query string value does change or it’s not known beforehand, you can specify the SSO service URL using the following SAMLServiceprovider.InitiateSSO overload.

/// <summary>
/// Initiates single sign-on from the service provider to the identity provider (ie. SP-initiated SSO).
/// <para>
/// An authn request is sent to the identity provider.
/// </para>
/// </summary>
/// <param name="httpResponse">The HTTP response.</param>
/// <param name="relayState">The relay state or <c>null</c> if none.</param>
/// <param name="partnerIdP">The partner identity provider name or <c>null</c>.</param>
/// <param name="ssoOptions">The SSO options or <c>null</c>.</param>
/// <param name="assertionConsumerServiceUrl">The assertion consumer service URL or <c>null</c> if the configured URL is to be used.</param>
/// <param name="singleSignOnServiceUrl">The single sign-on service URL or <c>null</c> if the configured URL is to be used.</param>
/// <exception cref="SAMLException">
/// Thrown when the single sign-on fails.
/// </exception>
public static void InitiateSSO(HttpResponse httpResponse, string relayState, string partnerIdP, SSOOptions ssoOptions, string assertionConsumerServiceUrl, string singleSignOnServiceUrl)

If the singleSignOnServiceUrl parameter is specified, this is used instead of the configured URL.

For example:

SAMLServiceProvider.InitiateSSO(
    httpResponse, 
    returnUrl, 
    partnerIdP, 
    null, 
    null, 
    "https://idp-site/affwebservices/public/saml2sso?SPID=https://s02v09939634.fr.net.intra/fatca");

fabio · June 5, 2025, 10:40am

Thank you, I’ll try the overloaded method asap.

I’ll let you know.

Thank you
Fabio

fabio · June 11, 2025, 10:49am

Hi,
While waiting for the client to continue this development, I made some tests using your ExampleIdentityProvider.

I made changes to my code

if (!string.IsNullOrEmpty(config.AdditionalInitialAuthnReqRedirectParams))
{
    // Ottiene l'URL del servizio Single Sign-On dell'Identity Provider
    var SSOServiceUrl = SAMLController.Configuration.PartnerIdentityProviderConfigurations[0]?.SingleSignOnServiceUrl;

    // Avvia il Single Sign-On includendo i parametri aggiuntivi nella richiesta
    SAMLServiceProvider.InitiateSSO(
        Response,
        returnUrl,
        partnerIdP,
        null,
        null,
        SSOServiceUrl + "?" + config.AdditionalInitialAuthnReqRedirectParams
    );
}
else
{
    // Avvia il Single Sign-On senza parametri aggiuntivi
    SAMLServiceProvider.InitiateSSO(Response, returnUrl, partnerIdP);
}

I retrieve the SSOServiceUrl from the only IdP I have for testing and I concatenate the value SPID, like this:

https://saml-idp.westeurope-01.azurewebsites.net/SAML/SSOService.aspx?SPID=https://localhost:44391/

but I always get this message

The return URL specified for request redirection is invalid.

Is there something wrong I’m doing?

Thank you
Fabio

ComponentSpace · June 12, 2025, 12:59am

Hi Fabio,

FormsAuthentication.RedirectToLoginPage doesn’t like the fact the query string parameter isn’t URL-encoded.

The code should be something like:

SAMLServiceProvider.InitiateSSO(
    Response,
    returnUrl,
    partnerIdP,
    null,
    null,
    SSOServiceUrl + "?SPID=" + HttpUtility.UrlEncode("https://localhost:44391/")
);

fabio · June 12, 2025, 9:57am

Hi,

you were right: using UrlEncode helped me fix the problem and in my test env it worked.

Now, I wait for the client to be ready for some actual test on their env and, in case, I’ll ask for some more help.

Thank you
Fabio

ComponentSpace · June 12, 2025, 8:31pm

Sounds good. Thanks for the update.