Problem

You need to construct a URL that triggers IdP-initiated Single Sign-On (SSO) through PortalGuard, without using the PortalGuard SSO Jump Page.

Solution

This guide explains how to construct a URL that triggers an IdP-initiated Single Sign-On (SSO) action in PortalGuard. This is useful when you want to start an authentication session directly from PortalGuard rather than accessing an application first.

Solution Details

SSO URL Format

The general format for a SSO URL in PortalGuard is:

Where:

• YOUR.PG.SERVER is the base URL of your PortalGuard server.

• URL-ENCODED-ID is the URL-encoded identifier for the application being accessed.

Locating the Application Identifier

The application identifier (ID) is defined in the Identity Provider Configuration Editor within PortalGuard. This is typically labeled as the 'Identifier' for the specific SAML configuration of the target application.

For example, if you are configuring SSO for Google Workspace (formerly GSuite), the identifier might be:

This value must be URL-encoded before being used in the SSO URL.

Encoding the Identifier

Since URLs cannot contain certain special characters, the identifier must be URL-encoded. Here’s an example encoding transformation:

You can use an online URL encoder or a command-line tool to convert the string.

Example SSO URL for Google Workspace

If your PortalGuard server is https://your.pg.server, and your Google Workspace identifier is google.com/a/example.com, then your final SSO URL would be:

Testing the SSO URL

You can test the URL by pasting it into a browser:

• If you already have an active PortalGuard session, you should be logged into the target application immediately.

• If you do not have an active session, PortalGuard will first prompt you to authenticate before redirecting you to the application.