AD FS and RelayState

Cantor, Scott cantor.2 at
Thu Aug 20 10:10:31 EDT 2015

On 8/20/15, 9:55 AM, "users on behalf of Robert Lowe" <users-bounces at on behalf of robertmlowe at> wrote:
>If true, this would obviously not be compliant with the spec. I'm skeptical, as the sources seem to be referring to IdP-initiated SSO only.

IdP-initiated Relay State is proprietary, just like all of IdP-iniated SSO is. So yes, that's probably the case.

It handles RelayState in general without much trouble that I know of.

>2. If this is indeed required, is there any way to make the Shibboleth SP generate
>RelayState in the appropriate format?

No, nor will it underatand it. The only value usable in that direction is just a full target URL.

-- Scott

More information about the users mailing list