IdPUnsolicitedSSO + relayState

Lalith Jayaweera ljayaweera at
Sun Oct 8 22:30:24 EDT 2017


We got IdP 3.3. with CAS plugin

We got existing IdP intiated URLs as below

Then I changed it to below

however when I it initially redirect to CAS for the authentication, I am
able to see the Service param with enitityId URL, however target param was
missing on the querystring, so I had doubts.....

but when I further checked the final response......

I am able to see the RelayState along with the SAMLResponse as shown

I kind of tend to believe IdP has done what it supposed to do, even though
the relay state was not appearing in the query string but somehow
maintained in the IdP

Please let me know above understanding is correct


On Thu, Sep 28, 2017 at 6:46 PM, Peter Schober <peter.schober at>

> * Lalith Jayaweera <ljayaweera at> [2017-09-28 09:16]:
> > For one of our IdP initiated SPs, there is a request to have RelayState
> as
> > a specific URL [...]
> >
> > can I safely assume, it is all about setting 'target' param in the
> > relyingparty xml
> Fyi, unless you're still using IDPv2 that's not the right
> documentation, for IDPv3 it's here:
> UnsolicitedSSOConfiguration
> And the documented parameters are for query strings (i.e., request
> parameters) for HTTP GET requests sent to the IDP:
>   target (optional)
>     Corresponds to RelayState in the SAML 2.0 protocol, but can be
>     omitted.
> So you'd set 'providerId' to the (URL-encoded) entityID of the SP and
> 'target' to the URL you want to end up with at the SP (or the opaque
> RelayState value the SP wants you to use).
> You don't have to change any configuration files in order to use the
> above interface.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list