Environment
NetIQ Access Manager 3.2 Identity Server acting as SAML 2 Identity Provider
SAML2 Intersite transfer URL setup with corresponding id
Situation
NAM 3.2 configured with multiple SAML2 Service Providers (SPs) and each have their own custom contracts.
Using IDP initiated login where each SP has a target defined, and an intersite transfer id configured in the UI.
The admin wants a specific authentication contract executed for each specific SAML2 Service Provider (SP), but users accessing the intersite transfer URL with the SAML2 SPs id always get the default contract executed instead. The TID at https://support.microfocus.com/kb/doc.php?id=7005810 was followed so that the contract id could be executed.
The example URL below is used for passing in a specific contract (whose id is nameid) and to use the Intersite Transfer URL as the target (whose intersite transfer id is also called nameid) e.g.
Note: the name "nameid" shows up twice in the URL below:
Resolution
Example 1:
Change the Intersite Transfer Service ID to all uppercase (or to a different name):
We change the Intersite Transfer Service in Admin Consle under Identity Servers | Edit | SAML2 tab | click on the SP service | Intersite Transfer Service | ID: set to NAMEID and update changes.
Note: In this case, changing the Intersite Transfer Service ID from nameid to NAMEID would take two steps.
Change 'nameid' to any other name, update and then can change it to uppercase NAMEID
https://idp.yourdomain.com/nidp/app?id=nameid&target=https://idp.yourdomain.com.com/nidp/saml2/idpsend?id=NAMEID
Or change to a 'different' name value altogether.
In Admin Console under Identity Servers | Edit | Local tab | Contracts | click the contract | set Display name: to a different name. In this example set to 'namediff' and update changes.
The following URL for login is used to match these changes: see 'namediff' in the URL.
https://idp.yourdomain.com/nidp/app?id=namediff&target=https://idp.yourdomain.com/nidp/saml2/idpsend?id=nameid