1j9vy (1j9vy) asked a question.
SP initiated SAML SSO - Relay State issue
We are facing issue while certifying Okta as Identity Provider for our webapps.
Our webapps provides SAML authentication via Service Provider initiated SSO. When user tries SAML login, webapp creates SAML Request and redirects the user to Okta. Webapp also sends a ‘RelayState’ parameter with SAML Request. ‘RelayState’ parameter has some webapp specific validation fields which are dynamically generated with every request. Okta is supposed to return the same RelayState back with SAMLResponse but it is not sending it due to which webapp is not able perform the required validation.
Can you please help me out here and suggest the fix in Okta Configuration for this ?
Hi Vipul - thanks for your question! It looks like support has followed up with you, so I'll post their response so anyone else with a similar issue will be able to reference:
To start IdP initiated SAML with Okta you need to use the IdP SSO URL with ?RelayState= appended to the url, not the app embed url.
You can find the IdP SSO URL url by clicking "View Setup Instructions" on the Sign On tab for the application in the admin console.
Please install the SAML tracer on the Firefox Plugin and try to analyze it using the guide i sent below. If the issue still persists, please open a support case with us.
https://support.bluejeans.com/s/article/Collecting-SAML-traces-using-Firefox
Hi Molly,
We are trying SP initiated SSO.
Does Okta support SP initiated SSO with RelayState sent by SP ?
Hi Molly, We are having similar use case in which Okta acts as SAML SP Provider and consumes SAML Assertion from the federated IDP. It consumes the SAML Assertion but it does not obey the Relay State to an entire domain instead it appends the RelayState to the existing domain. for example if RelayState="www.splunk.com". Post validation the redirection url is <OktaDomain>/www.splunk.com. We don;t want it to be relative path instead needed it to be absolute path
We are seeing the same issue with SP initiated SSO, the RelayState sent by SP is not sent back by Okta
Hanlin, We were able to resolve it by adding the Relay State in the "Trusted Origin" List as the redirect URL
thanks Vivek, I just tried adding the redirect URL into the `Trusted Origin` List, but still not seeing it sent back in the Relay State field.
actually i think your case might be different, i'm using Okta as Idp, and triggering a SP initiated login. The relayState set by SP is not sent back by Okta
Are there any updates here? I see tons of similar threads in the community about RelayState not being respected in SP-initiated SAML flows. RelayState in SP-initiated flows has been part of the SAML 2.0 spec since 2005. Is it really not supported by Okta?