Show TOC

Mapping Relay States to ApplicationsLocate this document in the navigation structure

Prerequisites

  • The identity provider issues an alias for an application in the RelayState parameter.

    For more information, see the documentation supplied by the identity provider vendor.

  • You have trusted the identity provider.

    Trusting an Identity Provider

Context

Use this procedure to protect application URLs when performing identity provider-initiated Single Sign-On (SSO). Security Assertion Markup Language (SAML) 2.0 uses a RelayState parameter to restore the original application URL so that the user can return to the application with a SAML assertion. Exposing the application URL in SAML messages can be a security risk. For service provider-initiated SSO, the service provider saves the URL and places the name of the cookie in the relay state. For identity provider-initiated SSO this option is not available. Instead you can have the identity provider place an alias for the application in the relay state and map the alias to the application on the service provider.

Procedure

  1. Start SAP NetWeaver Administrator.
  2. Choose Start of the navigation path Configuration Management Next navigation step Security Next navigation step Authentication and Single Sign-On End of the navigation path and choose Start of the navigation path SAML 2.0 Next navigation step Local Provider End of the navigation path.
  3. Choose the Edit pushbutton.
  4. Choose the Service Provider Settings tab.
  5. Under RelayState Mapping , choose the Add pushbutton.
  6. Enter the application alias you agreed upon with the administrator of the identity provider and the relative path to the target application.
    Example

    RelayState

    Application Path

    portal

    /irj/portal

    Note

    The service provider supports adding URL parameters to the relay state alias. The service provider strips the URL parameters from the relay state alias and appends it to the matching application path, even if the application path already includes URL parameters. Using the example above, the service provider receives a relay state, portal?test=true . The service provider redirects the client to /irj/portal?test=true .

  7. Save your entries.

Results

If the relay state does not match any relay state known to the service provider, an error occurs.

If the relay state is empty, the service provider uses the default application path.

For more information, see Configuring the Default Application Path .