WFM and Service Provider (SP) initiated Single Sign-On (SSO)
The configuration documented in this section will enable SP initiated SSO using your IdP. This configuration is intended for on-premise deployments that do not embed WFM within a portal. In this configuration, the IdP only handles the user authentication and does not manage the WFM session. The IdP user session will timeout according to the IdP configuration and the WFM user session will timeout according to the WFM session timeout registry setting.
WFM will send the IdP a SAML authentication request if the user does not have a WFM authenticated session. The IdP will always prompt the user to authenticate each time WFM sends a SAML authentication request, even if there is already a valid IdP session for the authenticating user.
Logging out of WFM, ETM or mobility will only invalidate the WFM session and will not send a
SAML LogoutRequest
to the IdP.
There are differences between IdP initiated SSO and SP initiated SSO that is outlined in the table below:
Feature | SP initiated SSO | IdP initiated SSO |
---|---|---|
Authentication | All users must use SAML SSO. | Can be used with customizations to support some uses authenticating with the
login.jsp . |
IdP configuration | Only one IdP initiated SSO profile is needed for WFM, ETM, and mobility. | Separate profiles are required for WFM, ETM, and mobility. |
Requests from unauthenticated users | Sends a SAML AuthnRequest to the IdP.. |
Uses logoutRequest.jsp to do a HTTP redirect to
the IdP. |
SAML Response | User identifier in either the SAML Response nameID or in a SAML Response claim. |
User identifier must be in the SAML Response nameID . |