Configuration

From a configuration perspective, you just need to configure your IdP and SPs as described by the following documentation:

• PicketLink Identity Provider (PIDP)

• PicketLink Service Provider (PSP)

You can also take a look at the PicketLink Quickstarts for a lot of examples about how to configure IdPs and SPs, using different configuration options:

• PicketLink Quickstarts

Just one important note about how SAML v.1.1 was previously supported, before PLINK-363. Before the changes from this issue, users were required to configure the SAML11SPRedirectFormAuthenticator authenticator to get SAML v.1.1 enabled for service providers. Please take a look at this example application, which demonstrates the deprecated configuration:

• SAML v.1.1 example application using the deprecated configuration

This configuration was forcing users to maintain different configurations (specially for the authenticators) if they need to support both SAML v.1.1 and SAML v2.0. Just because both SAML versions were supported by different authenticators.

To increase usability, configuration and administration PicketLink now supports SAML v.1.1 from a single authenticator, which is fully described here:

• Service Provider Authenticators

Basically, users can now support both SAML v.1.1 and 2.0 from any service provider.

How to Use

As described by the A Walk Through section, once the user is authenticated the IdP shows a page with links to all service provider applications. A link will usually look like this:

<a href="http://localhost:8080/idp?TARGET=http://localhost:8080/sales-saml11/">Sales</a>

Note that the link above redirects the user to the IdP passing the TARGET query parameter, whose value is the URL to the target service provider application. Once the user clicks the link above, the IdP will extract the TARGET parameter from the request, build a SAML v.1.1 Response and redirect the user to the target URL. When the user hits the service provider it will be automatically authenticated.