Skip to end of metadata
Go to start of metadata

SAML v1.1

Please refer to the wikipedia page for more information.

( )

PicketLink SAML v1.1 Support

Also available at


SAML v1.1 support basically involves the IDP first scenario, unlike SAML v2.0 which involves the SP first scenarios.

A Walk Through

  1. User accesses the IDP.
  2. The IDP seeing that there is neither SAML v2 request nor response, assumes a "IDP first scenario" using SAML v1.1
  3. The IDP challenges the user to authenticate.
  4. Upon authentication, the IDP shows the hosted section where you are displayed a page that links to all the service provider applications.
  5. The user chooses a SP application.
  6. The IDP redirects the user to the service provider with a SAML v1.1 assertion in the query parameter, SAMLResponse
  7. The Service Provider checks the SAML v1.1 assertion and provides access.

Configuring and Using SAML v1.1

If you're not familiar about the PicketLink Authenticators, please take a look at the following documentation:


From a configuration perspective, you just need to configure your IdP and SPs as described by the following documentation:

You can also take a look at the PicketLink Quickstarts for a lot of examples about how to configure IdPs and SPs, using different configuration options:

Just one important note about how SAML v.1.1 was previously supported, before PLINK-363. Before the changes from this issue, users were required to configure the SAML11SPRedirectFormAuthenticator authenticator to get SAML v.1.1 enabled for service providers. Please take a look at this example application, which demonstrates the deprecated configuration:

This configuration was forcing users to maintain different configurations (specially for the authenticators) if they need to support both SAML v.1.1 and SAML v2.0. Just because both SAML versions were supported by different authenticators.

To increase usability, configuration and administration PicketLink now supports SAML v.1.1 from a single authenticator, which is fully described here:

Basically, users can now support both SAML v.1.1 and 2.0 from any service provider.

How to Use

As described by the A Walk Through section, once the user is authenticated the IdP shows a page with links to all service provider applications. A link will usually look like this:

Note that the link above redirects the user to the IdP passing the TARGET query parameter, whose value is the URL to the target service provider application. Once the user clicks the link above, the IdP will extract the TARGET parameter from the request, build a SAML v.1.1 Response and redirect the user to the target URL. When the user hits the service provider it will be automatically authenticated. 

Service Provider Support for SAML v1.1

Since the user goes to the IDP first and then redirected back to a Service Provider via the TARGET query parameter,  you can obtain SAMLv1.1 specific behavior for web apps utilizing PicketLink by using SAML11SPRedirectFormAuthenticator (

Before version 2.6.0.CR1, SAML v1.1 support requires the use of SAML11SPRedirectFormAuthenticator valve at the service provider side. Now, users can use the ServiceProviderAuthenticator and get the same behavior.

Please refer to Configuring SAML v1.1 section for more information. In this section there is described the recommended configuration to enable SAML v1.1 for both identity providers and service providers.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.