Specifying relayState to pass plain URL format for SLO in SP settings

Gernot Hassenpflug gernot.hassenpflug at asahinet.com
Sun Apr 24 22:04:46 EDT 2016 

"Cantor, Scott" <cantor.2 at osu.edu> writes:

>> Despite searches in the Shibboleth Wiki, I could not find any
>> documentation on how to do this, the closest was that if the relayState
>> was left out (in Sessions) then the plain URL would be used in SLO.
>
> That is correct, but that applies to everything, not just SLO. There
> possibly isn't an explicit way to do this with the <Logout> element.

Hello Scott,
Thank you for your reply and directions.

>> Well, after trying to specify relayState as an empty string in the
>> Logout element, which resulted in failed startup for XMLParsing,
>
> Attributes cannot be empty, and "leaving the setting out" is not at
> all the same as trying to set it to an empty string.

Understood.

>> <Logout relayState="url">SAML2 Local</Logout>
>
> That isn't a valid setting, so if it works, it's accidental. I doubt
> that what you're actually trying to do is officially supported (leave
> it set to something but then override back to nothing). That generally
> isn't something it supports. What you probably could do is the
> opposite: unset it in <Sessions> but then set it in the <SSO> element.

Done, and worked perfectly.

I don't remember why we chose years ago to set relayState="ss:mem" in
the <Sessions> element when moving to the new configuration file format:
it could have been taken from an example file perhaps.

In any case, setting relayState only in the <SSO> element and thereby
leaving it in default state (URL) for <Sessions> and <Logout> elements
works fine for this particular IdP.

We are not going to change the settings for other SPs, if there is no
pressing reason to remove relayState="ss:mem" from <Sessions>. If
someone has a good argument for leaving it at the default, I would be
happy to bring it up at management level and make that change (the more
defaults the easier to manage our own changes).

>> Also, if the documentation for relayState could be amended to cover this
>> case.
>
> There's nothing to amend, you do it by not setting relayState as far as I recall, like it says to do.

Yes, indeed, though the problem we faced was figuring out whether not
setting relayState (a change from our existing default settings) would
have any undesirable effects.

Thanks again,
Gernot Hassenpflug
-- 
Asahi Net, Inc.
Tokyo, Japan

More information about the users mailing list