OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] IdP initiated SSO and RelayState

On 5/25/16, 9:06 AM, "Peter Major" <peter.major@forgerock.com> wrote:

>Reading the SAML bindings and the SAML core specs, I'm not really sure 
>how RelayState should work when performing an IdP initiated SSO.

It's unspecified. IdP-initiated SSO is a bad thing, and this is just one reason why.

>Is there any standard way to make sure that the user is directed to a 
>different URL once the SAML response was successfully processed by the 
>Assertion Consumer Service endpoint when using IdP initiated SSO flow?

Nope. The "standard" way is to use the URL as the RelayState, which violates the letter of the specification that limits the value to 80 bytes, and also assumes the SP will honor a URL in there, which is common but hardly required.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]