Add static/custom attribute with ACS Url
trscavo at gmail.com
Wed Feb 7 16:47:14 EST 2018
On Wed, Feb 7, 2018 at 4:15 PM, Santu Ghosh <mon.snahasish at gmail.com> wrote:
>>but in an IdP-initiated flow, the IdP can
> add whatever RelayState value the SP will understand (presumably by
> prior agreement).
> Can you please give me an example how to add an parameter in an ACS url ??
Let's back up a bit. First you need to understand how RelayState works
in an SP-initiated flow: The SP attaches a RelayState parameter to the
redirect URL, which the IdP is REQUIRED to return on the round trip.
This is documented in the SAML standard.
Presumably the SP includes a RelayState parameter so that it knows
where to redirect the user at the very last step of the flow. Are your
SPs that support SP-initiated doing this now? If not, I'm not sure why
you're concerned with the SP that doesn't support SP-initiated. Either
you need RelayState for all of them or none of them.
That said, an IdP-initiated flow is inherently non-standard. The IdP
could add an arbitrary RelayState parameter to the POST response but
the SP may not understand it since the request did not originate at
the SP. So if anything good happens in the IdP-initiated case it is by
prior agreement only. If the IdP passes a RelayState parameter that
the SP understands, then that means they colluded on its semantics.
More information about the users