IDP Initiated SSO + RelayState
Joshua Brodie
josbrodie at gmail.com
Fri Aug 21 14:42:52 UTC 2020
Thank you Nate!
I am sorry, I am not sure where to add the 'target' parameter.. Is it added
to the metadata or relying-party?
<EntityDescriptor entityID="https://example.com/saml.digest"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</NameIDFormat>
<AssertionConsumerService index="0" isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://example.com/saml.digest" />
</SPSSODescriptor>
</EntityDescriptor>
<bean parent="RelyingPartyByName" c:relyingPartyIds="
https://example.com/saml.digest">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"
p:encryptAssertions="false"
p:includeAttributeStatement="true"
p:signResponses="false"
p:signAssertions="true"
p:nameIDFormatPrecedence="#{{'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified'}}"
/>
<ref bean="SAML2.Logout" />
</list>
</property>
</bean>
On Thu, 20 Aug 2020 at 21:05, Nate Klingenstein <ndk at signet.id> wrote:
> Joshua,
>
> Presuming you're using the POST binding, RelayState is a separate input
> element in the form(alongside the Response) that is sent from the IdP to
> the SP which designates the page the user is supposed to land on after
> processing of the assertion is complete. It's conveyed in other ways with
> other bindings, but does functionally the same thing.
>
> This first hop is normally handled automatically with SP-initiated SSO(as
> the SP sends along what the RelayState should be in the AuthnRequest).
>
> For IdP-initiated SSO, you can add a RelayState through the "target"
> parameter with the Unsolicited SSO endpoint:
>
>
> https://wiki.shibboleth.net/confluence/display/IDP4/UnsolicitedSSOConfiguration
>
> I assume that you're hosting multiple links to multiple target pages
> behind the vendor's SP. All navigation subsequent to the SAML transaction
> should be obviously happening within the vendor's site, so your IdP isn't
> involved in that at all.
>
> So, there's nothing to "turn on", as this is default behavior. You
> probably just need to add target parameters to that bunch of links.
>
> Hope this helps,
> Nate.
>
> --------
> Signet, Inc.
> The Art of Access ®
>
> https://www.signet.id
>
>
>
> -----Original message-----
> > From: Joshua Brodie
> > Sent: Thursday, August 20 2020, 9:29 pm
> > To: users
> > Subject: IDP Initiated SSO + RelayState
> >
> >
> >
> > We have an IDP-initiated SSO to a cloud service provider.
> >
> > The vendor is saying that we have to enable RelayState on the IDP in
> order to allow linking to specific pages in the application (currently
> users after clicking on link, entering their account/password, end up in
> the applications home page - not the linked page).
> >
> > Any ideas what the vendor is talking about? I have never come across
> this.
> >
> > --
> >
> > For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> >
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> >
> >
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200821/0e7326fe/attachment.htm>
More information about the users
mailing list