Federation IDP initiated link configuration with RelayState

book

Article ID: 225731

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When running AdminUI and configuring a Partnership, what should be the
RelayState value in a IdP initiated journey ?

  The IDP initiate link : https://myidp.myidpdomain.com/affwebservices/public/saml2sso?SPID=sso/saml/aladdin/cli
  IDP entity id         : myIdp
  IDP Base URL          : https://myidp.myidpdomain.com

The following code to fill the RelayState value is :

  {{1}{https://myapp.mysp.com/myApp}{2}}

 

Resolution

 

The RelayState value is the URL where the browser should access to the
application at the SP side. In the sample given in documentation (1),
this is

   http://www.spdemo.com/apps/app.jsp

and its URL Encoded value is :

 
   http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp

Now, the RelayState value should be :

   {{1}{https://myapp.mysp.com/myApp}{2}}
   


So the URL Encoded value will be :

   %7B%7B1%7D%7Bhttps%3A%2F%2Fmyapp.mysp.com%2FmyApp%7D%7B2%7D%7D

Note that the length of the RelayState should be less than 80
characters (2).
   
The ProviderID parameter should be the IdP entity name, which could be
an URL, depending how the ProviderID entity ID is defined in the SP
configuration.

 

Additional Information

 

(1)

    Unsolicited Response Query Parameters that the IdP Uses

      RelayState

      Indicates the URL of the target resource at the Service
      Provider. The RelayState value should be URL-encoded.  By including
      this query parameter, it tells the IdP to redirect the user the
      appropriate resource at the Service Provider. This query parameter
      can be used in place of specifying a target URL when configuring
      single sign-on. The RelayState query parameter name is
      case-sensitive, and the value must be URL-encoded.

      Example:

      http://ca.sp.com:90/affwebservices/public/saml2authnrequest?ProviderID=
      http%3A%2F%2Ffedsrv.acme.com%2Fsmidp2for90&
      RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/configure-a-saml-2-0-identity-provider/initiate-single-sign-on-from-the-idp-or-sp.html

(2)

    Warning: Length of Relay state URL is greater than 80 characters.

      Siteminder doesn't set a maximum value for the RelayState value. Keep
      in mind that :

       - OASIS specification specify that RelayState value should not exceed 80
  bytes (1).

       - Some Browsers or Web Servers might impose a limit in the length of
  the URL.

    https://knowledge.broadcom.com/external/article?articleId=22808