Forum Discussion
Dynamic "RelayState" for iDP initiated connections
Hi,
I don't believe that using a session variable for the RelayState field is currently supported.
I have done something similar in the past with APM as SP that may work for APM as IdP (at least it's worth testing). A "temporary" internal RelayState session variable gets created when the policy runs (if you debug your policy you can see it); in this particular case, it's always named:
saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState
You may be able to set your RelayState using a Variable assign in the VPE right before your Resource Assignment. In this case, you could match it with your session.custom.relaystate
If the variable doesn't work in the APM as IdP scenario, you can try to debug your policy and look into sessiondump and /var/log/apm outputs to see if you find another similar variable that you could use.
Otherwise, I suggest you open a case with F5 Support to request the feature to be added.
Let me know how it turns out.
Salim
Did you ever get this working? We're running in to a similar problem with an IdP initiated SAML SSO, with deep linking (via relaystate) required...
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com