How to pass relaystate for IdP with SAML2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-28-2015 03:41 AM
Hi,
I am using SAML2 and I have this one problem.
http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile#gsc.tab=0
1. How and where can I find this relayState?
2. How does relayState send to SSO?
3. What does "origRelayState" contains and does it really send it?
I just cant understand the documentation so it would be nice if I could get some support in this issue.
BR,
Hai
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-29-2015 05:36 AM
The RelayState is used, when using SSO, to maintain the information regarding the actual URL/page you wanted to access when you weren't logged into the instance using. As you can read in the "Login (AuthnRequest) Process Flow" section of the SAML 2.0 browser profile wiki article:
http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile#Login_.28AuthnRequest.29...
The scenario is the following:
--------------------------------------
- A user (not logged in) click on a link. E.g. https://INSTANCE/incident_list.do
- The instance gets the request to open https://INSTANCE/incident_list.do.
- If the user is not authenticated, the instance constructs an AuthnRequest to be sent to the IdP. The instance also constructs and sends the RelayState URL parameter value (https://INSTANCE/incident_list.do).
- The IDP (Identity Provider) gets the request to authenticate the user together with the RelayState information
- After the user is authenticated, the IDP sends back the auth information to the instance together with the RelayState value
- The instance reads the SAML response got from the IDP, and if the user has been successfully authenticated, it redirects him to the URL in the RelayState.
--------------------------------------
Now, as you can see by reading above wiki article, the instance is sending the RelayState information to the IDP by default. The problem here it can be that the IDP is not sending back the RelayState information in the SAML Response to the instance.
In order to have the RelayState/Deep Linking working correctly, you should make sure this is correctly configured in your IDP. For information on how to do so you should refer to your IDP documentation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-10-2018 07:48 AM
Several years later, we have the same problem, and have tracked it down to the fact that the SAML2_update1 script does "double encoding" of URLs. It encodes URLs that have already been encoded (deep link URLs such as are sent in email, which already have URL encoding applied). What happens is that the SAML2_update1 script encodes this already-encoded URL, then redirects to the login service provider, who (after authentication) in turn redirects you back to the relayState URL. But now servicenow cannot parse this double-encoded URL, and dumps you on a home page by default because it can't figure out where you wanted to go.
I don't have a good solution. Servicenow has been very much less than helpful on this.
