* Tommy Peterson <
stpe...@gmail.com> [2016-09-23 23:04]:
> if I log in from sp2 I get redirected back to sp1, not sp2
[...]
> I guess you would say that this is a idp initiated set up as I don't
> log into a sp first. I get redirected to the idp and then back to sp
> to finish the log with a sucessful saml session in place.
How and where exactly are you starting the login procedure, then?
Something sends a request to the IDP, at some point. And that request
can be stamdardized (a SAML 2.0 Authentication Request) or it can be
proprietary and implementation-specific (specific to MS-ADFS, here).
If those requests (whatever they are and however they're generated)
contain the wrong RelayState then that's where you'd need to look.
Next, you'll need to trace (easiest in the browser) all the HTTP
request and response headers for logins to SP2, at least. Does the IDP
send the SAML response to SP2 but only the final redirect goes to SP1?
Or does the IDP send the SAML Reponse to SP1 to begin with?
-peter