Default RelayState in SP metadata?
589 views
Skip to first unread message
Muhammad Anas
Nov 16, 2015, 11:06:18 AM11/16/15
to SimpleSAMLphp
Hi,
Is it possible to include a Default RelayState in service provider metadata that we provide to remote IdPs? Which they can send as part of their IdP initiated SSO requests (more precisely, unsolicited responses).
Currently I have to manually enter it in separate text field on most IdPs and I was wondering if there is some tag that we can include in our metadata with its value set to our RelayState URL.
Thanks,
Anas
Peter Schober
Nov 16, 2015, 4:39:37 PM11/16/15
to SimpleSAMLphp
* Muhammad Anas <anast...@gmail.com> [2015-11-16 17:06]:
hard-code that in the SimpleSAMLphp SAML SP, cf. section 4:
https://simplesamlphp.org/docs/stable/saml:sp
> Which they can send as part of their IdP initiated SSO requests
> (more precisely, unsolicited responses).
You can send SAML2.0 authentication requests to the IDP (which a SAML
SP would usually do) which can contain a reference to a RelayState.
There is no such standard for proprietary, IDP-implementation specific
authentication requests (also called "IDP-initiated", but /something/
needs to send something to the IDP, to cause an "unsolicited"
response, which is a weird way of saying to send it a non-standard
request to make it send a standard response).
> Currently I have to manually enter it in separate text field on most
> IdPs and I was wondering if there is some tag that we can include in
> our metadata with its value set to our RelayState URL.
The whole point (IMO) of RelayState is that it can be set
/dynamically/ by the SAML SP based on the specific resource the
subject wanted to access. So setting that to static values (on the IDP
or SP) will often already be pretty useless.
-peter
> Is it possible to include a Default RelayState in service provider
> metadata that we provide to remote IdPs?
There's nothing in SAML Metadata (see below for context), but you can
> metadata that we provide to remote IdPs?
hard-code that in the SimpleSAMLphp SAML SP, cf. section 4:
https://simplesamlphp.org/docs/stable/saml:sp
> Which they can send as part of their IdP initiated SSO requests
> (more precisely, unsolicited responses).
SP would usually do) which can contain a reference to a RelayState.
There is no such standard for proprietary, IDP-implementation specific
authentication requests (also called "IDP-initiated", but /something/
needs to send something to the IDP, to cause an "unsolicited"
response, which is a weird way of saying to send it a non-standard
request to make it send a standard response).
> Currently I have to manually enter it in separate text field on most
> IdPs and I was wondering if there is some tag that we can include in
> our metadata with its value set to our RelayState URL.
/dynamically/ by the SAML SP based on the specific resource the
subject wanted to access. So setting that to static values (on the IDP
or SP) will often already be pretty useless.
-peter
Reply all
Reply to author
Forward
0 new messages