Zoho Help SP claims no metadata

Christopher Bongaarts cab at umn.edu
Wed Jun 17 16:52:15 UTC 2020

On 6/16/2020 7:06 PM, Baron Fujimoto wrote:
> I'm afraid I'm missing something fundamental that I'm not picking up 
> from the documentation or from this thread. Given that endpoint, and 
> assuming it may require some additional parameters such as target and 
> perhaps providerId, where does it *go*? I mean, I think I get that 
> /idp/profile/SAML2/Unsolicited/SSO just exists, but how do you tailor 
> any specific options to a particular SP?

For SP-initiated SSO, the user typically clicks a link that takes them 
to the SP's site.  The SP decides the request requires authentication, 
and sends the user to the IdP based on the SSO endpoint in the metadata, 
with a SAMLRequest included as a parameter.  The SAMLRequest includes 
details like who the SP is, which ACS URL to use, etc.  There may also 
be a RelayState parameter that the IdP is expected to send back with its 

For IdP-initiated SSO (the "unsolicited" endpoint), the user clicks the 
.../Unsolicited/SSO link, which takes them to the IdP. The parameters on 
that link include the data that would have been in the SAMLRequest, such 
as the requesting SP (providerId) and ACS URL (shire), or the RelayState 

In higher ed, we tend to like SP-initiated, as our users frequently go 
directly to the SP sites.  The IdP-initiated method makes more sense in 
corporate intranets, where you first log in to your intranet, and only 
then get the links to the various services you can use.  The IdP SSO 
link would be one of those links on your intranet page.

%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list