Unsolicited IDP: RelayState and target
Matt Woodson
mwoodson at redhat.com
Fri Feb 17 19:14:18 GMT 2012
On 02/17/2012 04:16 AM, WULMS Alexander wrote:
> Hi,
>
> Salesforce properly implements SAML v2 SP-initiated flow and also supports IdP-initiated flow.
>
> Salesforce puts the relative URL to the requested page in the relaystate parameter. When you use the IdPUnsolicitedSSO handler on Shibboleth IdP, then you can indeed specify a value for the relaystate parameter. Though, keep in mind that you should URL-encode the relative URL when building your request string, especially if it contains special parameters or a query string.
>
> Example to send a user to page /home/home2.jsp, on Salesforce my-domain your-organization.my.salesforc.com:
>
> https://your-idp-host/idp/profile/SAML2/Unsolicited/SSO?providerId=https%3A%2F%2Fyour-organization.my.salesforce.com&target=%2Fhome%2Fhome2.jsp
>
> This is under the assumption that you have set-up an own sub-domain, using their my-domain feature and that the entity-id for that sub-domain is https://your-organization.my.salesforce.com:
>
> It works. At least for us (with Shibboleth IdP 2.3.5).
Alex,
Thanks for the reply.
Getting the replaystate into the Unsolicited url as the "target"
parameter is what I was originally asking help for. That's the magic I
don't have. And, according to replies, Unsolicited mode doesn't do
anything with that relaystate variable.
For future list readers, I will post this info.
After more investigation and enabling domains at salesforce.com, we are
going to use sp-initiated SAML with shibboleth as the IDP. Once this is
done, we can use the relaystate as it is meant to be.
I originally misunderstood the part that sfdc will do sp-initiated SAML
once you have domains enabled.
More information about the users
mailing list