<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00007UkXRsSANOkta Classic EngineSingle Sign-OnAnswered2024-04-15T09:30:27.000Z2020-01-06T09:42:16.000Z2020-01-08T20:25:40.000Z

sabariv.86873 (Customer) asked a question.

Edited January 6, 2020 at 9:43 AM
Relay State is not sent back on SAML Login Response

Hello Team,

 

please find the saml login request:

 

https://dev-647251.okta.com/app/americtechnologydev647251_samlspringboot_1/exk1pt9i4l3HCmZMJ357/sso/saml?SAMLRequest=fZJPb9swDMW%2FiqG7Lf%2BNYyEJkCUYmqFdgzrboZeAsdlGqCx5oty1376KvQHdYbkJ1PuRfA9cEHSqF%2BvBnfUD%2FhqQXPDWKU1i%2FFiywWphgCQJDR2ScI2o13e3Io1i0VvjTGMU%2B4RcJ4AIrZNGs2C3XbJjgm1ZJgWGLZR5mDcVhHPMizCD9FTks6JKT8iCn2jJM0vmW3iQaMCdJgfa%2BVKcxmGchPHsEFcinYs4i2Zp9ciCrfciNbiRPDvXk%2BC8xddwlpdpkUTmxUHUmI5D33O%2FqZWNw%2BasjTLP7143yY4XU9RbqZ9PxrhjwvHtJeldJXOV3Wy6x7tvWVFyIsMvShbs%2F4TyRerWQ9fzOE0iEjeHwz7c39cHFqz%2FZrQxmga%2FV432VTb44%2BF28uFtKNOAOhtyYp7n2TiZ1%2FU9Wy0uTzFGZFdXxB06aMHBgn8GFtM1fPd77rZ7o2TzHnw1tgP3fxtJlIwV2YZPo1RgB1Kt29YikbejlPm9sQgOl%2BwJFCHjq2nsv3e3%2BgA%3D&RelayState=myRelayStateValue&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=OsqAMQ0JbDRG%2FOUSlfnSCT61Aed5mTPX9bIN9Hz5k7Rhydx%2FgDFmCqJF%2BhNYMYAznfYYLFgCPnK%2FHtih45G0bE24oOGrRy4ARMtol05L0xPKBT1nTZHKIPkQpWk%2BdTaEyohQzkHxYiD28BSmbkR5iUNyZWGhOLtlK1gDNKehaU%2BfPVTY9zIt9vRllCyqVAmqqQ39T%2FkhRbLos2KlAOmWkcT4LHbv60Yh8Gw3ohNxYJIA5lJvk2cJHOUYdLnF5T1meb2ngsgNyAcA893gOinO7413TAUfPDe3AGGdUIE2XCqMJhm6BffKMhL%2BQKP7jQ5d41D3cnqrP4gf71Ub86HRfg%3D%3D

 

Here i pass relaystate value to okta but it is not sent back in the acs call.

Below is the response from OKTA.

 

Please find the SAML Response:

 

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:Response Destination="http://localhost:8443/saml/SSO" ID="id14297284266932014318805624"

  InResponseTo="_1ed7715e-da74-4c9a-8e45-3a2b546592be" IssueInstant="2020-01-06T09:28:04.187Z"

  Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"

    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk1pt9i4l3HCmZMJ357</saml2:Issuer>

  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig*">

    <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256"/>

      <ds:Reference URI="*id14297284266932014318805624">

        <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig*enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc*sha256"/>

        <ds:DigestValue>Fk8fKdc6OgMWMmjbNBJNMWpoECdIdTU4GQqdjpo46+8=</ds:DigestValue>

      </ds:Reference>

    </ds:SignedInfo>

    <ds:SignatureValue>SeEStZCUDDBxK/T2nWTFPqmYt5O66kRKAlCCeJQ7Hbkn4oRY63CSTicv1DM16ms/NJBmUbXy6KJKZTaN+KK5qFN6MbUmGbcPTStyxp7quiZJo1A+EW+UueM13kxUWYjTgQ4jp91EPk+H3+lx4X6i48gae562zmc6YROZO6Ty+XG1YiprOzL8DxenPCtbLwAOth5qepWmcyalYGn16ceZ4l7iOAeB6/bDsmYodpLafArcteEngvaCPu9Jl1yAsTLsb7WvFYqmASIZ8xnfZedm7WP2WkMDFiv+jOM+w659goMAsRJ1yb5KPQwwu+S8Q180bUxeJiFTF3DwFsBS2BXxrw==</ds:SignatureValue>

    <ds:KeyInfo>

      <ds:X509Data>

        <ds:X509Certificate>CERTIFICATE</ds:X509Certificate>

      </ds:X509Data>

    </ds:KeyInfo>

  </ds:Signature>

  <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>

  <saml2:Assertion ID="id142972842670097291659493949" IssueInstant="2020-01-06T09:28:04.187Z"

    Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"

      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.okta.com/exk1pt9i4l3HCmZMJ357</saml2:Issuer>

    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig*">

      <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more*rsa-sha256"/>

        <ds:Reference URI="*id142972842670097291659493949">

          <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig*enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n*"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc*sha256"/>

          <ds:DigestValue>StYLy/2SWViGX621nY8KWB5EtVtFumfDcC161zBVB4A=</ds:DigestValue>

        </ds:Reference>

      </ds:SignedInfo>

      <ds:SignatureValue>obft7Oi9Rk5r7TB4cARM+KIfFg052vI28gqrDlorXAsNAjPk4hFALu31XwlSo1zrro8IzHpznXMRjxc0u+N4MY4102EMjiwLZ8PODNolLHmVukjGCh5dBn9Ad4TbtGdxhvk8lZ8DAyQ4iDS3AiOOR08rYqkmfbXEvIMyoD47nAumvjLQtCp1x0EnUxiKNKsRkExGF3nCArobKzx9FwR5ZXmxpTiWvqAglfwLRcZ8otZqNjJackmVHTRW18jeQTF09mqMNpLoEDyAKTGAPDKEHp8BjsvscJzgyhMks8Na6P0VJTEmcak5O0pKYdq0mDeb+ozsAyaNV6J9BO4h05EFmw==</ds:SignatureValue>

      <ds:KeyInfo>

        <ds:X509Data>

          <ds:X509Certificate>CERTIFICATE</ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </ds:Signature>

    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">n.sabarivignesh@gmail.com</saml2:NameID>

      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_1ed7715e-da74-4c9a-8e45-3a2b546592be"

        NotOnOrAfter="2020-01-06T09:33:04.187Z" Recipient="http://localhost:8443/saml/SSO"/></saml2:SubjectConfirmation>

    </saml2:Subject>

    <saml2:Conditions NotBefore="2020-01-06T09:23:04.187Z" NotOnOrAfter="2020-01-06T09:33:04.187Z"

      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:AudienceRestriction>

        <saml2:Audience>http://localhost:8443/saml/metadata</saml2:Audience>

      </saml2:AudienceRestriction>

    </saml2:Conditions>

    <saml2:AuthnStatement AuthnInstant="2020-01-06T09:28:04.187Z"

      SessionIndex="_1ed7715e-da74-4c9a-8e45-3a2b546592be"

      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

      <saml2:AuthnContext>

        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>

      </saml2:AuthnContext>

    </saml2:AuthnStatement>

  </saml2:Assertion>

</saml2p:Response>

 

What could be wrong here?

 

  • 1 answer
  • 1.76K views

  • bc221 (bc221)

    Okta will not include RelayState in SAML Response. It will be in the BODY when Okta POST SAML Response to your Service provider. you can use any web debugger tool (fiddler) to intercept web browser traffic and look for POST call from Okta to your SP.

    Selected as Best

  • bc221 (bc221)

    Okta will not include RelayState in SAML Response. It will be in the BODY when Okta POST SAML Response to your Service provider. you can use any web debugger tool (fiddler) to intercept web browser traffic and look for POST call from Okta to your SP.

    Selected as Best
This question is closed.
Loading
Relay State is not sent back on SAML Login Response