2

We have a SAML integration with a vendor. Idp on our side is ADFS 2.0. Whenever user clicks on a link to vendor from our site, user will be redirected back to adfs login page. After successful authentication they will be redirected to vendor's saml assertion consumer URL, which is their home page.

Now we have a deep link to be established. The problem with that is user after authentication always ends up on vendor's home page. Assuming relaystate is setup, isn't it the responsibility of vendor to redirect from saml assertion consumer url page to deep link? I assume adfs cannot directly redirect to deep link because the security context has to be established at vendor's site by going to the assertion url. Isn't it an inconvenience to expect everyone to go a specific page (assertion url) before going to another link?

Only other option i assume is making the code that establishes security context on vendor's side as a http module or filter. Am i right in saying this or my understanding is wrong?

rachen
  • 31
  • 3

1 Answers1

1

In the scope of SAML it is the responsibility of ADFS to attach the same relay state sent from the vendor on the redirect going back to the vendor. How the relay state is used is out of scope for SAML and something you have to agree upon.

It is however very common that the target URL of the deep link is sent in the relaystate.

Stefan Rasmusson
  • 5,445
  • 3
  • 21
  • 48
  • Is the RelayState guaranteed to reach the vendor in an unaltered state in this situation? – anpatel Nov 09 '17 at 23:08
  • 1
    Acording to the specification, what is sent in relay state should be sent back unaltered. As long as the IDP follows the specification it should be fine – Stefan Rasmusson Nov 10 '17 at 13:34