Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Posterus_85681's avatar
Posterus_85681
Icon for Nimbostratus rankNimbostratus
Sep 05, 2016

Dynamic "RelayState" for iDP initiated connections

We use APM for idp initiated SAML assertion and have it working for a number of SaaS applications. We have a new application that requires the "RelayState" to be set, so that users goto a specific lo...
application delivery
BIG-IP Access Policy Manager (APM)
Salim_83682's avatar
Salim_83682
Historic F5 Account
Sep 06, 2016

Hi,

 

I don't believe that using a session variable for the RelayState field is currently supported.

 

I have done something similar in the past with APM as SP that may work for APM as IdP (at least it's worth testing). A "temporary" internal RelayState session variable gets created when the policy runs (if you debug your policy you can see it); in this particular case, it's always named:

 

saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState

You may be able to set your RelayState using a Variable assign in the VPE right before your Resource Assignment. In this case, you could match it with your session.custom.relaystate

 

If the variable doesn't work in the APM as IdP scenario, you can try to debug your policy and look into sessiondump and /var/log/apm outputs to see if you find another similar variable that you could use.

 

Otherwise, I suggest you open a case with F5 Support to request the feature to be added.

 

Let me know how it turns out.

 

Salim

 

Posterus_85681's avatar
Posterus_85681
Icon for Nimbostratus rankNimbostratus
Sep 06, 2016

Hi Salim,

 

How did you find this saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState temporary variable?

 

Could you modify it?

 

Regards, Peter