Forum Discussion
NimbostratusAPM doesn't use RelayState value sent in Request
I have trouble making RelayState work. I use APM as an IDP-initiated SP. I send RelayState with the assertion. The spec for sending RelayState to APM as a SP is unclear/absent, so I send it in the same way a RelayState is sent in a SP-initiated interaction (as x-www-form-urlencoded form data)
The guide (
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/30.htmlOptional: In the Relay State field, type a value. The value can be an absolute path, such as hr/index.html or a URI, such as https://www.abc.com/index.html.
It is where the service provider redirects users after they are successfully authenticated and have been allowed by the access policy.
When APM receives the relay state from the Identity Provider in addition to assertion, then it uses the value received from the IdP to redirect the user. Otherwise, APM uses the value from this configuration.
The log seems to indicate that I send in RelayState correctly:
May 4 11:23:55 bigip-test debug apd[11857]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "parseQueryData()" line: 403 Msg: IdP Initiated: RelayState: https://myhost.no/some/path/i/provided/in/relaystate
However, I'm not redirected to the url provided in RelayState after successful SSO.
If I do not configure a default RelayState on the SP, SSO will fail. If I do configure a default RelayState on the SP, SSO will succeed and the default RelayState will be used.
6 Replies
Ingebrigt_MaursAlso, if I set a default RealyState on the SP, this will break SP-initiated SSO.
I set default RelayState on the SP to
https://myhost.no/default/pathAs a client, I go to
.https://myhost.no/intended/pathAs expected I get redirected to the IDP, authenticate, and then I am redirected back to the SP ACS with RelayState
. But unfortunately I am sent tohttps://myhost.no/intended/path
. Correct behaviour would have been to be sent to my intended urlhttps://myhost.no/default/path
.https://myhost.no/intended/path
Michael_Koyfma1Cirrus
Ok, I am a little bit confused here, so need to clarify. Are you saying that APM is IDP and you are having issues with this config? If so, what is your SP? Is your goal to support both IDP and SP-initiated logons? The reason for my confusion is you continue to cite documentation about APM acting as SP and how it handles RelayState parameter - but to me, it sounds like you are using APM as an IDP - and that documentation portion does not apply then.- Ingebrigt_MaursI use APM as SP. My goal is to support both IDP and SP initiated logons. It is IDP initiated that is causing me trouble. BUT, SP initiated is also acting strange if I set a the 'RelayState' property of the SP configuration. If I as a client go to https://sp.no/intended/path I expected to end up there after SSO. But actually I end up at the URL specified by the RelayState property on the SP, if this is set. I'm unsure if this is a bug or a feature, but it certainly means I can't use the RelayState property. Because all clients using SP-initiated SSO will land on the URI specified in the RelayState property (and not on the landinguri they tried to reach).
kunjanHave you tried configuring
as the RelayState on SP? What do you refer as default RelayState?https://myhost.no/intended/path- Ingebrigt_Maurs
Yes, I have tried configuring the RelayState on my SP. I have set this to
https://myhost.no/default/pathIt is this i refer to when I talk about 'default RelayState'.
From the doc it is clear this setting should work as a default value:
When APM receives the relay state from the Identity Provider in addition to assertion, then it uses the value received from the IdP to redirect the user. Otherwise, APM uses the value from this configuration.When I sett RelayState on the SP, then this value is used. However, in my usecase the intended path will vary per SSO request, so I need to override the 'default RelayState', or not use a 'default RelayState'.
- kunjan
Seems like bug with RelayState, possibly a known issue. Suggest to raise a support case to get the fix.
