How to use IDP initiated SSO approach to single sign on to Ws-Federation service provider

  • 7021197
  • 11-Aug-2017
  • 11-Aug-2017


Access Manager 4.3
Access Manager 4.2


I am sure I am just missing something but have been able to find in the docs or google how I can create an IDP initiated URL to authenticate into a WS-FED service Provider.   I have a config were I was able to create an App Mark to Office 365 using a WS-FED service provider and it works fine just can’t figure out what the actual URL that is generated looks like,


 IDP-initiated-SSO does not appear to exist in the WS-Federation standard ( .

As a result we do not seem to have an IDP init endpoint in our implementation as with SAML protocol but a whr parameter exists which NAM can leverage to workaround the issue.

In the link below, the browser will go to the IDP first where user logs in and is then redirected to the target URL (URL must be encoded). Passing in the whr parameter into this Office 365 target URL instructs Office 365 that the request is specific to the federated domain ( in example below).

Office 365 transparently redirects user back to NAM IDP, but since session exists IDP simply sends an assertion back to Office 365 and user can single sign on.