What does the SAML 2.0 RelayState URL function do?

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Version Affected:  [9.2+]


    When setting up a SAML integration, SAML 2.0 RelayState URL is an option for use as the Authenticated User Redirect. Here are details on what the functionality of this redirect does:

    SAML 2.0 RelayState URL (SecureAuth IdP - Post Authentication tab)

    By definition, RelayState is an identifier for the resource at the SP that the IDP will redirect the user to (after successful login). it redirects to the URL the IdP receives via the "ReturnURL" parameter sent through the query string.

    Most of the Service Provider applications send over the RelayState URL info within the SAML AuthnRequest during redirection to SecureAuth and grabbing this URL, SecureAuth sends the user back to this URL once the user is authenticated successfully.

    In the AuthnRequest from SP, the RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection. The original meaning of RelayState is that the SP can send some value to the IDP together with the AuthnRequest and then get it back. The SP can put whatever value it wants in the RelayState and the IDP should just echo it back in the response.

    There is also another, de facto standard used for RelayState when using IdP-initiated log on. In that case there is no incoming request from the SP, so there can be no state to be relayed back. Instead the RelayState is used by the IdP to signal to the SP what URL the SP should redirect to after successful sign on.


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.