2

We are using SustainSys.Saml2 with IdentityServer4.

We have the following flow working outlined in this question How to maintain returnurl after receiving SAML response from OneLogin

When we issue a ChallengeAsync just before we are redirected to OneLogin to verify our user and send a SamlResponse back we see our AuthenticationProperties get passed to SustatinSys library code and it has relayData and a returnPath set but when OneLogin posts back to us the relaystate is not the returnurl/relayData we specified. We believe it is a value generated from here https://github.com/Sustainsys/Saml2/blob/master/Sustainsys.Saml2/RelayStateGenerator.cs as part of the SamlAuthenticationRequest creation.

Should that be passing the relaydata that we created to SamlAuthenticationRequest so that we can read it once successfully logged in as part of the SamlResponse or are we doing something wrong and need to set some options elsewhere so we can read the relaystate?

Jon
  • 38,814
  • 81
  • 233
  • 382

1 Answers1

0

The relayData and returnPath that you pass in to AuthenticationProperties are preserved in an encrypted cookie during the call to the Idp. The RelayState in the actual Saml2 exchange is a random string, that is also the name of the cookie. When the Saml response is processed, the contents of the cookie are read and the AuthenticationProperties are restored (including the ReturnUrl).

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
  • We were processing the response manually but then realised we should use the Saml2Handler that you provide. Thanks – Jon Oct 24 '18 at 15:27
  • Yes, using the handler is really recommended. Going directly on the Commands API is an advanced scenario that should be avoided. That is mostly meant as an internal API for the platform specific modules on top of it. – Anders Abel Oct 25 '18 at 11:22