Zoho Help SP claims no metadata

Cantor, Scott cantor.2 at osu.edu
Tue Jun 16 23:10:37 UTC 2020

The metadata belonging to the SP is invariant with respect to where SSO begins. There is nothing about the IdP in an SP's metadata regardless, and the SP's metadata would look essentially identical whether it supported requests or not.

IdP initiated SSO is nothing more than a proprietary URL to tell the IdP to generate a response targeted to an SP. It's an unsigned request with limited features. There's nothing about it that involves metadata that isn't necessary in a normal case, which is, I guess, a good thing.

RelayState is another matter. There should never be RelayState unless it comes from an SP and when it's imposed in such a case, the SP is doubly broken by forcing its local requirements on the IdP without simply implementing the standard to begin with. If they want RelayState, then they should issue requests containing it.

Like most incorrect ways of using SAML, it's still supported; a target parameter to the IdP will produce a RelayState value matching it.

-- Scott

More information about the users mailing list