Ingebrigt_Maurs
May 04, 2015Nimbostratus
APM doesn't use RelayState value sent in Request
I have trouble making RelayState work. I use APM as an IDP-initiated SP. I send RelayState with the assertion. The spec for sending RelayState to APM as a SP is unclear/absent, so I send it in the same way a RelayState is sent in a SP-initiated interaction (as x-www-form-urlencoded form data)
The guide (
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/30.html
) says:
Optional: In the Relay State field, type a value. The value can be an absolute path, such as hr/index.html or a URI, such as https://www.abc.com/index.html.
It is where the service provider redirects users after they are successfully authenticated and have been allowed by the access policy.
When APM receives the relay state from the Identity Provider in addition to assertion, then it uses the value received from the IdP to redirect the user. Otherwise, APM uses the value from this configuration.
The log seems to indicate that I send in RelayState correctly:
May 4 11:23:55 bigip-test debug apd[11857]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "parseQueryData()" line: 403 Msg: IdP Initiated: RelayState: https://myhost.no/some/path/i/provided/in/relaystate
However, I'm not redirected to the url provided in RelayState after successful SSO.
If I do not configure a default RelayState on the SP, SSO will fail. If I do configure a default RelayState on the SP, SSO will succeed and the default RelayState will be used.