Question on RelayState

book

Article ID: 141295

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

We have a SAML partnership requirement, where SP will initiate the sso url and will be sending IDP (Siteminder) storeID value in RelayState.

Siteminder is expected to consume and pass back the same RelayState value in URL to SP ACS URL while posting the assertion.

Example:-

SP-initated URL: https://apps.demo.com/&RelayState=storeID=1234

Will redirect to IDP (Siteminder), which will authenticate the user and post the SAML assertion to SP ACS URL...where the SP needs storeID=1234 to be passed in URL as RelayState.

Could you please confirm if Siteminder can do this out of the box?

 

Environment

Release: ALL

Component : SITEMINDER FEDERATION SECURITY SERVICES

Resolution

A Siteminder IDP will preserve any RelayState value passed to it from the SP, however, when using the POST profile for assertions, the RelayState value will be passed as part of the POST data.  There is no way out of the box to include this value in the URL query string.

Additional Information

When an SP includes a RelayState value in the query string as part of an authnrequest (SP-initiated request), the RelayState value must be URL-encoded.  This assures the value does not get lost or altered during potential redirects for authentication at the IDP.