Dynamic "RelayState" for iDP initiated connections

Question

We use APM for idp initiated SAML assertion and have it working for a number of SaaS applications.
We have a new application that requires the "RelayState" to be set, so that users goto a specific location in the application.&nbsp;
The "RelayState" needs to be dynamic (changed based on a session variable)&nbsp;
We have tried editing the External SP connector and changing the RelayState to: %{session.custom.relaystate}, however the variale never gets inserted we just see the literal text in the SAML assertion.&nbsp;
Any ideas?&nbsp;

salim_83682 · Answer

Hi,&nbsp;
I don't believe that using a session variable for the RelayState field is currently supported.&nbsp;
I have done something similar in the past with APM as SP that may work for APM as IdP (at least it's worth testing). A "temporary" internal RelayState session variable gets created when the policy runs (if you debug your policy you can see it); in this particular case, it's always named: &nbsp;
saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState
You may be able to set your RelayState using a Variable assign in the VPE right before your Resource Assignment. In this case, you could match it with your session.custom.relaystate&nbsp;
If the variable doesn't work in the APM as IdP scenario, you can try to debug your policy and look into sessiondump and /var/log/apm outputs to see if you find another similar variable that you could use.&nbsp;
Otherwise, I suggest you open a case with F5 Support to request the feature to be added.&nbsp;
Let me know how it turns out.&nbsp;
Salim&nbsp;

posterus_85681 · Answer

Hi Salim,&nbsp;
How did you find this saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState temporary variable?&nbsp;
Could you modify it?&nbsp;
Regards,
Peter&nbsp;

aj_01_135899 · Answer

Did you ever get this working?  We're running in to a similar problem with an IdP initiated SAML SSO, with deep linking (via relaystate) required...&nbsp;

amass87_221296 · Answer

Anyone have more information on this.  Setting saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState doesn't actually populate RelayState when the POST is sent to the SP.&nbsp;

Forum Discussion

Dynamic "RelayState" for iDP initiated connections

Recent Discussions

question about getting hsl data to be formatted properly in splunk

Problem with lets encrypt and redirect after update

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

REST API to download License JSON report?

Is F5 r-series device instance is automatically turned on after power failure

Related Content

Proxy Protocol v2 Initiator

Proxy Protocol Initiator

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

Seamless App Connectivity with F5 and Nutanix Cloud Services

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS