Skip to end of metadata
Go to start of metadata


Usually in PicketLink, the SP starts the flow by sending an authentication request to the IdP, which in turns sends a SAML Response to the SP with a valid Assertion. This flow is called SP-Initiated SSO.

But the SAML 2.0 specs also defines another flow, called IdP-Initiated or Unsolicited Response SSO. In this scenario, the SP does not initiate the authentication flow and just receive a SAML Response from the IdP. The flow starts on the IdP side and once the user is authenticated he can choose a specific SP from a list and then get redirected to its URL. For more information, please take a look here:

This mode is very similar to the PicketLink SAML v1.1 support, but here we're using version 2.0 instead.

SAML v2.0 Unsolicited Response is supported by version 2.6.0.CR1 and beyond.

A Walk Through

  1. User accesses the IDP.
  2. The IDP seeing that there is neither SAML v2 request nor response, assumes a "IDP first scenario" using SAML v2.0.
  3. The IDP challenges the user to authenticate.
  4. Upon authentication, the IDP shows the hosted section where you are displayed a page that links to all the service provider applications.
  5. The user chooses a SP application.
  6. The IDP redirects the user to the service provider with a SAML v2.0 assertion in the query parameter, SAMLResponse
  7. The Service Provider checks the SAML v2.0 assertion and provides access.


No special configuration is necessary to get Unsolicited Responses supported, you can configure your IdP and SPs as usual. For more information about how to configure them, take a look at:

You can also take a look at the PicketLink Quickstarts for a lot of examples about how to configure IdPs and SPs, using different configuration options:

How to Use

As described by the A Walk Through section, once the user is authenticated the IdP shows a page with links to all service provider applications. A link will usually look like this:

Note that the link above redirects the user to the IdP passing the TARGET query parameter, whose value is the URL to the target service provider application. Once the user clicks the link above, the IdP will extract the TARGET parameter from the request, build a SAML v2.0 Response and redirect the user to the target URL. When the user hits the service provider it will be automatically authenticated.

Differently than our SAML v1.1 support, you need to specify the SAML version that should be used by the IdP to create the SAML Response. For that you use the SAML_VERSION query parameter.

The IdP also supports the SAML_BINDING query parameter in order to specify which SAML binding shall be used to send the SAML Response to the target SP. The value for this parameter can be either:

  • POST
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.