IDP Initiated SSO + RelayState

Nate Klingenstein ndk at
Fri Aug 21 04:05:29 UTC 2020


Presuming you're using the POST binding, RelayState is a separate input element in the form(alongside the Response) that is sent from the IdP to the SP which designates the page the user is supposed to land on after processing of the assertion is complete.  It's conveyed in other ways with other bindings, but does functionally the same thing.

This first hop is normally handled automatically with SP-initiated SSO(as the SP sends along what the RelayState should be in the AuthnRequest).

For IdP-initiated SSO, you can add a RelayState through the "target" parameter with the Unsolicited SSO endpoint:

I assume that you're hosting multiple links to multiple target pages behind the vendor's SP.  All navigation subsequent to the SAML transaction should be obviously happening within the vendor's site, so your IdP isn't involved in that at all.

So, there's nothing to "turn on", as this is default behavior.  You probably just need to add target parameters to that bunch of links.

Hope this helps,

Signet, Inc.
The Art of Access ®

-----Original message-----
> From: Joshua Brodie
> Sent: Thursday, August 20 2020, 9:29 pm
> To: users
> Subject: IDP Initiated SSO + RelayState
> We have an IDP-initiated SSO to a cloud service provider.
> The vendor is saying that we have to enable RelayState on the IDP in order to allow linking to specific pages in the application (currently users after clicking on link, entering their account/password, end up in the applications home page - not the linked page).
> Any ideas what the vendor is talking about? I have never come across this.
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list