WFM and SAML protocol: Support for SP initiated SSO

WFM now supports SP initiated SSO for on-premise deployments that do not embed WFM within a portal such as Infor Ming.le.

In this type of configuration, the IdP (Identity Provider such as Ping Federate or ADSF) only handles the user authentication and does not manage the WFM session. The IdP user session will timeout according to the IdP configuration and the WFM user session will timeout according to the WFM session timeout registry setting.

WFM will send the IdP a SAML authentication request if the user does not have a WFM authenticated session. The IdP will always prompt the user to authenticate each time WFM sends a SAML authentication request, even if there is already a valid IdP session for the authenticating user.

Logging out of WFM, ETM or mobility will only invalidate the WFM session and will not send a SAML LogoutRequest to the IdP.

For more information on SP initiated SSO, see "WFM and Service Provider (SP) initiated SingleSign-On (SSO)" in the Infor Workforce Management Installation and Configuration Guide.