SSO - SAML, Redirect a user to a specified landing page after successful log in
Though it is not in the SAML specs, a de-facto standard is to use the RelayState
element for that. It is added as a parameter in the response in addition to the SAMLResponse
parameter and value of the landing
URL. Sample HTML page from http://en.wikipedia.org/wiki/SAML_2.0 for an IDP using the POST
binding for the response:
<form method="post" action="https://sp.example.com/SAML2/SSO/POST" ...>
<input type="hidden" name="SAMLResponse" value="<response>" />
<input type="hidden" name="RelayState" value="<url>" />
...
<input type="submit" value="Submit" />
</form>
Edit:
Just to be clear, the RelayState
parameter declaration is part of the specs and it is included to allow for passing arbitrary state between SP and IDP. Using it for passing a URL that defines the landing page is not defined in the spec but is de-facto standard usage. Any usage of RelayState
in IDP-init-SSO would depend on a pair-wise agreement between IDP and SP and this is just an agreement that makes sense, is useful and thus has been widely adopted.
user3391212
Updated on June 18, 2022Comments
-
user3391212 about 2 years
I am implementing SSO where I am the Identity Provider, right now I am able to successfully log into the Service Provider. But it takes me to the home page. I want to specify the landing page URL when I post the response. Have searched quite a lot but could not find anything convincing. Do not quite know which element of the SAML response carries the Landing page URL or is the in the form that I have to specify. Using java and opensaml libraries to generate the response.
-
user3391212 over 9 yearsIs it safe if I pass a non-encoded URL. The SP end gives me a "not found", guess they do not decode it at their end. But it works without encoding.
-
Hans Z. over 9 yearsSorry, I meant to say on the wire it is URL-encoded when passing it in the HTTP POST; by placing it verbatim in the HTML form, the browser will URL-encode it. So in the sample that I gave you would place the actual value in
<url>
. I will edit the text. -
Scott Heaberlin over 9 yearsNot to nit-pick, but
RelayState
is absolutely in the bindings specs for SAML 2.0 (i.e. it is stronger than a de-facto standard). The HTTP POST, HTTP Redirect, and HTTP Artifact bindings all include rules forRelayState
, though none require its use. -
Hans Z. over 9 years
RelayState
's name is standardized but it's value is not. -
Hans Z. over 9 yearsupdated the answer with info about that last comment