relaystate
17 views
Skip to first unread message
Tommy Peterson
Sep 23, 2016, 5:04:36 PM9/23/16
to SimpleSAMLphp
I have one idp. Two separate sp's. The sp's authenticate against the idp. Each sp has its own metadata that I have exchanged with the idp. The problem is that if I log in one sp1 I get redirected back from a successful authentication against the idp to sp1; but if I log in from sp2 I get redirected back to sp1, not sp2, from a successful authentication against the idp. The person who manages the AD (this is an ADFSO SSO) showed me screen captures where he has the relayingstate as the SP URI (which is the SP's URL). But it still doesn't work. I noticed that when I click on log in in either the sp's and it redirects to the idp that the url shows a relaystate of sp1 (the one that both sp's get redirect back to). Any suggestions on how to make this work? I want to be redirect back to the sp I started from when I am successfully logged into by the idp. I guess you would say that this is a idp initiated set up as I don't log into a sp first. I get redirected to the idp and then back to sp to finish the log with a sucessful saml session in place. Thanks.
Nate Klingenstein
Sep 23, 2016, 10:26:31 PM9/23/16
to simple...@googlegroups.com
Tommy,
The SP signals to the IdP where it wants the user to return to using
the AssertionConsumerService. The RelayState is the end resource they
will access once their assertion has been processed.
There are 2 possibilities: SP 2 has SP 1's endpoints in their
metadata/ADFS configuration, or SP 2 is indicating in AuthnRequests
that it wants responses sent to SP 1. The latter is usually
prohibited for (good) security reasons, so it's probably the former.
Take care,
Nate.
> --
> You received this message because you are subscribed to the Google Groups
> "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
The SP signals to the IdP where it wants the user to return to using
the AssertionConsumerService. The RelayState is the end resource they
will access once their assertion has been processed.
There are 2 possibilities: SP 2 has SP 1's endpoints in their
metadata/ADFS configuration, or SP 2 is indicating in AuthnRequests
that it wants responses sent to SP 1. The latter is usually
prohibited for (good) security reasons, so it's probably the former.
Take care,
Nate.
> You received this message because you are subscribed to the Google Groups
> "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
Peter Schober
Sep 25, 2016, 5:43:08 PM9/25/16
to SimpleSAMLphp
* Tommy Peterson <stpe...@gmail.com> [2016-09-23 23:04]:
Something sends a request to the IDP, at some point. And that request
can be stamdardized (a SAML 2.0 Authentication Request) or it can be
proprietary and implementation-specific (specific to MS-ADFS, here).
If those requests (whatever they are and however they're generated)
contain the wrong RelayState then that's where you'd need to look.
Next, you'll need to trace (easiest in the browser) all the HTTP
request and response headers for logins to SP2, at least. Does the IDP
send the SAML response to SP2 but only the final redirect goes to SP1?
Or does the IDP send the SAML Reponse to SP1 to begin with?
-peter
> if I log in from sp2 I get redirected back to sp1, not sp2
[...]
> I guess you would say that this is a idp initiated set up as I don't
> log into a sp first. I get redirected to the idp and then back to sp
> to finish the log with a sucessful saml session in place.
How and where exactly are you starting the login procedure, then?
> log into a sp first. I get redirected to the idp and then back to sp
> to finish the log with a sucessful saml session in place.
Something sends a request to the IDP, at some point. And that request
can be stamdardized (a SAML 2.0 Authentication Request) or it can be
proprietary and implementation-specific (specific to MS-ADFS, here).
If those requests (whatever they are and however they're generated)
contain the wrong RelayState then that's where you'd need to look.
Next, you'll need to trace (easiest in the browser) all the HTTP
request and response headers for logins to SP2, at least. Does the IDP
send the SAML response to SP2 but only the final redirect goes to SP1?
Or does the IDP send the SAML Reponse to SP1 to begin with?
-peter
Reply all
Reply to author
Forward
0 new messages