SecureAuth version affected: All
Description:
Dynamic relay state is desired, so no target state is declared in the SAML assertion, so the relay state parameter will not appear in any trace or the routing will not properly redirect the site to the redirected URL path.
Cause:
This happens because the relay state generally comes from the service provider (SP), typically because the SAML assertions come from the SP and then they provide the relay state; regardless of either dynamic or static.
Resolution:
In this case, for IdP-initiated relay states, in order to properly reference the relay state, you can declare it in the URL by using "Target="
- To ensure the set up is good for an IdP-initiated request, check to make sure their target URL is blank, like so:
- This is the URL they are typing in is as follows:
https://secureauth.xxxx.com/secureauthxxx/?SPID=https://sso2.qwikcast.tv&RelayState=Https://www.google.com.
- In this example, they are pushing their dynamic relay state in the URL. As we can see here, the Fiddle trace picks up the test relay state that we put.
As we drop down further along the trace, we can see the relay state is wiped blank.
- Now in order to successfully get the relay state to remain constant throughout the SAML assertion via IdP-initiated, we will use the parameter "Target" instead of RelayState. This is how the URL should look like:
https://secureauth.xxxxx.com/secureauthxxx/?SPID=https://sso2.qwikcast.tv&Target=Https://www.google.com
- With the parameter field being changed to target, it will successfully keep the relay state there and properly redirect to the dynamic target URL!
Comments
Please sign in to leave a comment.