Hi all,
We are looking to implement the usage of RelayState onto our idp-initiated SSO logins. I see that the ReceiveSSO method has an out parameter for relaystate. I’m wondering what the expectations are for the SAML request on how relaystate is included.
Is it expected to be included as a query parameter on the Destination attribute for the response node in the XML, or is it expected to be included as a separate attribute/node?
Thanks
The mechanism for sending relay state is dependent on the transport binding being used. For HTTP-Redirect the relay state is a query string parameter. For HTTP-Post the relay state is post data. The relay state is separate from the SAML message and is not part of its XML. You don’t need to worry about these details. Our API handles all of this.
The following outlines relay state included when using HTTP-Redirect.
https://localhost:44390/SAML/SSOService.aspx?SAMLRequest=fZLN…&RelayState=%2F
The following outlines relay state included when using HTTP-Post. This is the post data included with the HTTP Post.
SAMLResponse=PHNh…&RelayState=%2F
[quote][/quote]
The mechanism for sending relay state is dependent on the transport binding being used. For HTTP-Redirect the relay state is a query string parameter. For HTTP-Post the relay state is post data. The relay state is separate from the SAML message and is not part of its XML. You don't need to worry about these details. Our API handles all of this.
The following outlines relay state included when using HTTP-Redirect.
https://localhost:44390/SAML/SSOService.aspx?SAMLRequest=fZLN....&RelayState=%2F
The following outlines relay state included when using HTTP-Post. This is the post data included with the HTTP Post.
SAMLResponse=PHNh....&RelayState=%2F
The following outlines relay state included when using HTTP-Redirect.
https://localhost:44390/SAML/SSOService.aspx?SAMLRequest=fZLN....&RelayState=%2F
The following outlines relay state included when using HTTP-Post. This is the post data included with the HTTP Post.
SAMLResponse=PHNh....&RelayState=%2F
Thanks for the response.
We are using HTTP Post. Just to confirm, the relaystate would not be encoded with the SSO certificate, but is expected to be sent over in plaintext (but URL-encoded).
Edit: I think I misinterpreted your response. The relaystate is meant to be a separate HTTP form key/value pair, not part of the SAMLResponse value. Is that correct?
That’s correct. Relay state is a separate form variable. If you look at the HTTP post data sent to the SP there’s the SAMLResponse variable and a separate RelayState variable. Both are URL-encoded.