0

I have successfully configured SAML SSO with OpenAM as SP and PingFederate as IDP with SP-Initiated SSO and using Redirect-Post binding. I am using kerberos adapter for implementing SSO.

However I cannot pass RelayState parameter from OpenAM to PF and get it back as part of SAML auto post form after successful authentication. It always redirects to OpenAM Assertion Processing Service i.e. openam/metalias/sp

Things I tried -

  1. SAML authentication and custom redirect URL

  2. SSO - SAML, Redirect a user to a specified landing page after successful log in

I created binding in Idp in attributes mapping with name "RelayState" but it appears as part of signed SAMLResponse and not extra parameter in the auto post back form, so openam is not able to get RelayState.

I also tried passing RelayState as url-encoded as well as passing it with name TargetResource. But no luck.

<!-- template name: form.autopost.template.html -->

 #set( $messageKeyPrefix = "form.autopost.template." )

<html>
    <head>
        <title>$templateMessages.getMessage($messageKeyPrefix, "title")</title>
        <meta name="referrer" content="origin"/>
        <meta http-equiv="x-ua-compatible" content="IE=edge" />
    </head>
    <body onload="javascript:document.forms[0].submit()">
       <noscript>
            <p>
                <strong>$templateMessages.getMessage($messageKeyPrefix, "noteTitle"):</strong> $templateMessages.getMessage($messageKeyPrefix, "note")
            </p>
        </noscript>
        <form method="post" action="$action">
            #foreach( $name in $formControls.keySet() )
            <input type="hidden" name="$escape.escape($name)" value="$escape.escape($formControls.get($name))"/>
            #end
            <input type="hidden" name="RelayState" value="https://www.google.com"/>
            <noscript><input type="submit" value="$templateMessages.getMessage($messageKeyPrefix, "resume")"/></noscript>
        </form>
    </body>
</html>


I out of curiosity modified pingfederate autopost form to foce include RelayState parameter and it it worked.

So I need to find a way where I can pass this information to PF and PF can then pass it back to SP-OpenAM after authentication done adding extra parameter to SAMLResponse form.

  • 2
    For SP-init, by spec the SP should send an opaque value to the IdP in the `RelayState` parameter of the `AuthnRequest`, not a URL. This value should be the key to a key-value pair captured at the SP where the value holds the location of where the user should be redirected after the SSO is complete. PingFederate will respond back to the `AuthnRequest` with that same value in `RelayState`. The SP should look up where the user is to be redirected and send the user off. I would suspect that you aren't starting the SP-init transaction properly, but I am not familiar with OpenAM to help more. – Andrew K. Aug 30 '19 at 13:36
  • How are you triggering SP-initiated SSO from OpenAM? Are you using 'saml2/jsp/spSSOInit.jsp' (equivalent to URI 'spssoinit')? – Bernhard Thalmayr Aug 31 '19 at 10:46
  • @BernhardThalmayr Hi, we are using Redirect-Post technique for Sp-init. So SP will redirect to IDP. it is driven from Authentication Module. In module we configure IDP entity Id and in federation we have circle of trust. So when request goes to specific module in circle of trust in federation. – Aniket Dandawate Sep 11 '19 at 08:26
  • If you are using SAML2 authentication module, then actually OpenAM will sent back the browser to the URL which was used to trigger authentication (value of 'goto' parameter) after SAML flow succeeded. Do you want to end up somewhere else? – Bernhard Thalmayr Sep 11 '19 at 08:59
  • @BernhardThalmayr - Yes, I am using SAML2 Authentication module. Module name is PingSAML.. so when I hit the http://host:port/openam/UI/Login?module=PingSAML&goto=/openam/console then it redirects to IDP and on sucess it goes to "/openam/Consumer/metaAlias/sp". IDP is not aware of goto/relaystate parameter.. neither it sends it back to SP in response. I have tried using "RelayState" instead of "goto" as key in redirect request but same result. Always goes back to /openam/Consumer/metaAlias/ - Assertion Consumer Service The problem is goto parameter is not populated – Aniket Dandawate Sep 11 '19 at 09:53
  • When I configure default RelayState in openam.. it successfully redirects to specified value. but it is static field and applicable application wide. I want to make use of RelayState which dynamically redirects user to url where request was originally made – Aniket Dandawate Sep 11 '19 at 09:56
  • I just tried using http://openam:port/openam/saml2/jsp/spSSOInit.jsp?idpEntityID=IDP-ent-026330&metaAlias=/sp&goto=openam/console and it redirected to proper relay state. Can we configure the idpEntityID defaulted to whichever idp is there in SAML2 Auth module? – Aniket Dandawate Sep 11 '19 at 10:07
  • @BernhardThalmayr: thanks alot for suggesting ssoinit. I have configured it as Login URL in openam and it works smoothly. Thanks a ton. I cannot mark this it as answer as I dont have enough points. – Aniket Dandawate Sep 11 '19 at 10:24
  • You do not need to provide RelayState parameter when using SAML2 authentication module, OpenAM will remember (stored in memory) the value of the 'goto' parameter and will redirect the browser to this URL when SAML2 authentication module succeeded (when the SAML response from the IdP could successfully processed). It's the same when you would use any other authentication module that does not delegate authentication to some other party. – Bernhard Thalmayr Sep 12 '19 at 07:24

1 Answers1

1

Using 'saml2/jsp/spSSOInit.jsp' instead of SAML2 authentication module URL solved this issue.