relaystate being set by IDP?

Cantor, Scott cantor.2 at
Thu Oct 26 16:53:48 EDT 2017

> I had wondered about that.  Thing is, their app present a login screen
> (thought I haven't actually been able to log in, because it can't find our
> metadata.)
> It seems like it would be possible (though weird) for them to present a login
> screen that somehow used an IDP initiated SSO URL internally.

It is possible if they made you enter it, but if that's not what they're doing, then no, there's no support for this because it would be invalid. The binding spec does not allow the IdP to just make up a RelayState if it didn't get one from the SP, it's mandatory to base it on the request. If Okta does that, well, Okta's wrong, that would fail a compliance test.

-- Scott

More information about the users mailing list