You are here

Invoking SP-Initiated SSO

SpringCM will invoke SP-Initiated SSO when the following three conditions are met:

  1. A request is made for a non-public, secured resource
  2. The user does not have a current session
  3. SpringCM can determine the user's account id via the aid parameter on the query string so that the configured Identity Provider to redirect to can be determined.

Because of the requirement that the account id be present on the query string to invoke SP-Initiated SSO, almost
all system generated URL's from SpringCM will contain this parameter. This includes not only normal browsing
URLs, but also links that are generated by sending documents via email in the UI or workflow.
Since SP-Initiated SSO is only invoked when a request for secure resource is made, there is currently no way for
a user to invoke SP-Initiated SSO on demand from the login page. Because of this, it is common practice for
customers to create a friendly URL that will invoke either Identity Provider initiated SSO or SP-Initiated SSO to
SpringCM. This creates a better experience for end users, as they will follow a simple URL and invoke SSO onto
SpringCM. If you do not know your Identity Provider's URL to invoke a SAML response to SpringCM, you can
link to the SpringCM ACS URL. For example, a customer may create something like and link it to,
where 'XXXX' is replaced with the SpringCM account id.