IDP Initiated Login - Does the SP or IDP set the RelayState In Configuration?

22 views
Skip to first unread message

rke...@gmail.com

unread,
Aug 28, 2018, 1:17:32 PM8/28/18
to SimpleSAMLphp
Background Information

I'm working on an application that supports users from various companies.  Since some companies have their own IDP, I have SimpleSAMLphp setup as an SP. and I have configured multiple IDPs in authsources.php.  

I am currently supporting SP-Initiated logins, and set the ReturnTo to a script on my server which does some processing.  Let's call it receiver.php.  So after the user logs into their IDP, they are bumped to this script, and only then, into my application.

What I Want To Add

I want to support IDP initiated logins, as well.  In my SP's configuration, I have set RelayState in authsources.php which points to receiver.php, and things work as expected when using a test IDP (using SimpleSAMLphp).

My Question

Is it common for the SP to set the RelayState, or should this be set on the IDP?  I'm a bit confused because some of the companies are asking what they should set the RelayState to, but I'm wondering if this is necessary if I can set it in my SP's configuration?  They are not using SimpleSAMLphp

Perhaps it doesn't matter who sets the RelayState? Or maybe it depends on the SAML implementation (SimpleSAML, PingIdentity, etc.)?

Any insight on this is greatly appreciated.

pat...@cirrusidentity.com

unread,
Aug 28, 2018, 2:29:37 PM8/28/18
to SimpleSAMLphp
For SP initiated login the SP will set the relay state since it knows what the user is trying to do and where to return them to.

For IDP initiated login
* IDPs that allow you to set RelayState will only set the RelayState during IdP initiated login. You don't need to worry about it interfering with any the RelayState sent for SP initiated. Not all IDPs let you set a RelayState. IdPs support this feature since not all SPs have a good landing pages for IDP initiated login. This allows the IdP operator to control where the user ends up.

* SSP allows you to set a RelayState in authsource.php which is used internally (not sent to the IDP AFAIK) if the IdP does not provide a value during IDP initiated login. The SSP default is to just send you to the root directory of the current web server. Setting this allows you to set a better default without having to contact your IdP operators to update their settings.

For your use case the IDP operators don't need to set a RelayState since you are already setting where you want a user to go for IDP initaited login.

- Patrick



Reply all
Reply to author
Forward
0 new messages