APM SP Initiated workflow IDP

Jason,

Please see below:

1) I'm struggling with one application that needs to use the UPN or e-mail address and pass that through to an external SP. The user is logging into the IDP with their AD credentials, but I need to grab the UPN or email and pass that to the SP and not the AD credentials.

Each app should have unique IDP-to-SP mapping in the APM config. That also gives you flexibility to define unique IDP configs and respond with different values in SAML assertion to the SP. For your example, you would want to do AD Query in the Access Policy after AD Auth, and it will pull all relevant user attributes from AD and you will be able to select the right attribute to be passed to SP in the SAML assertion.

2) How do I have the user go directly to the SAML resource without having the click on the icon listed on the webtop?

You would go straight to SP, and it should redirect you to the APM as IDP, you would authenticate, and it should send an assertion right back to the application without showing webtop to the user.

3) If I have one virtual server, with one access policy, how does the access policy keep track of having say 10 idp and 10 sp connectors and which resource to send users to?> I guess my question is, can you have multiple IDP'S and SP connectors under one single virtual server? I have read several of the documents but they seem to be very basic and not cover the in-depth configurations.

Absolutely! APM distinguishes between them by virtue of bindings, so as you bind an IDP config to SP connector, it treats it as an application. Then you create a SAML Resource object and assign it to the policy via VPE - so in your case, you would create 10 SAML Resource objects and assign them via Advanced Resource Assignment VPE object to the policy.

Hope this helps you move forward with this.