IdP Initiated SSO - SAML 2.0 - Redirect to RelayState Causes Error
1,015 views
Skip to first unread message
averync
May 26, 2011, 10:42:29 AM5/26/11
to google-app...@googlegroups.com
Hello,
I am using SAML 2 SSO to lsgfederationtest . SP initiated SSO works fine. IdP initiated almost works, but the re-direct to the value in RelayState is 'weird' and the user ends up at a "service not available page". At this point the user actually has a valid session because a request to /a/lsgfederationtest shows the users home page.
The value in the relaystate (as POSTed to a/lsgfederationtest.com/acs) looks like this:
RelayState[https%253A%252F%252Fwww.google.com%252Fa%252Flsgfederationtest]
Result of POST to 'acs' is redirect to:
&continue=https%3A%2F%2Fwww.google.com%2Fa%2Flsgfederationtest.com%2Fhttps%253A%252F%252Fwww.google.com%252Fa%252Flsgfederationtest
Result of this is redirect (302) to
That causes redirect to : /a/cpanel/lsgfederationtest.com/Dashboard
That results in Service Not Available message.
My IdP is a widely deployed commercial product. I have IdPinitiated SSO working to quite a few other SPs.
What is 'wrong' with the RelayState for processing by G'Apps?
Thanks, Avery
Claudio Cherubino
May 26, 2011, 10:47:13 AM5/26/11
to google-app...@googlegroups.com
Hi Avery,
The short answer is that Google Apps doesn't actually support an IdP initiated model - if you were able to successfully use a hard coded relay state in the past, it's because we now transmit dynamically generated RelayState parameters during the SAML request, and expect to receive the same parameter back along with the corresponding SAML response.
Claudio
--
You received this message because you are subscribed to the Google Groups "SAML-based Single Sign On for Google Apps" group.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-saml...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-saml-sso?hl=en.
averync
May 26, 2011, 12:14:31 PM5/26/11
to google-app...@googlegroups.com
Thanks Claudio,
But it turns out that the "doubly encoded URL value in RelayState" is a bug in my IdPs software:
But it turns out that the "doubly encoded URL value in RelayState" is a bug in my IdPs software:
http://download2.boulder.ibm.com/sar/CMA/TIA/02coq/0/6.2.0-TIV-TFIMBG-FP0008.README.html#IZ82853-doc
I have applied that fix and now the IdP-initiated SSO to G'Apps works fine - whether its supported or not :-)
Avery
Reply all
Reply to author
Forward
0 new messages