fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Should SAML v2 RelayState be used a a redirect uri for IdP initiated SAML

Open robfusion opened this issue 3 years ago • 1 comments

Should SAML v2 RelayState be used a a redirect uri for IdP initiated SAML

Description

When the POST samlv2/acs endpoint is called, a RelayState optional parameter may be passed. It appears that some implementations expect that to be used as a redirect URL, but we do not currently use it for that purpose. We should investigate whether we should be using it as the redirect_uri according to the specification.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

robfusion avatar Jul 07 '22 23:07 robfusion

The current workaround to select a specific redirect URI is to use a param on the ACS as follows:

https://<your_deployment_url>/samlv2/acs/<your_identity_provider_id>/<your_client_Id_from_application_configuration>?redirect_uri=<your_url_encoded_redirect_uri>

You will then need to add the redirect URL (from above) to your SAML application configuration as an Authorized Redirect URL. This should then force the correct redirect URI selection.

jobannon avatar Jul 12 '22 20:07 jobannon