OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: IdP initiated SSO and RelayState


Reading the SAML bindings and the SAML core specs, I'm not really sure how RelayState should work when performing an IdP initiated SSO.

This is the part where I really get confused:
If an artifact that represents a SAML request is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact data it received with the artifact into the corresponding
RelayState parameter in the response.

returning the SAML protocol response itself (since the spec is not talking about the artifact) is done using the SOAP binding and the Artifact Resolution protocol. The SOAP binding spec doesn't even mention the RelayState, and there is nothing relevant in the Artifact Resolution section of the SAML core spec either.

In case of IdP initiated SSO, I guess the RelayState concept is non-existent, because RelayState should/must be provided by the remote SP. Is there any standard way to make sure that the user is directed to a different URL once the SAML response was successfully processed by the Assertion Consumer Service endpoint when using IdP initiated SSO flow?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]