Show TOC

Procedure documentationMapping Relay States to Applications Locate this document in the navigation structure

 

Use this procedure to protect application URLs when performing identity provider-initiated Single Sign-On (SSO). Security Assertion Markup Language (SAML) 2.0 uses a RelayState parameter to restore the original application URL so that the user can return to the application with a SAML assertion. Exposing the application URL in SAML messages can be a security risk. For service provider-initiated SSO, the service provider saves the URL and places the name of the cookie in the relay state. For identity provider-initiated SSO this option is not available. Instead you can have the identity provider place an alias for the application in the relay state and map the alias to the application on the service provider.

Prerequisites

  • The identity provider issues an alias for an application in the RelayState parameter.

    For more information, see the documentation supplied by the identity provider vendor.

  • You have trusted the identity provider.

    Trusting an Identity Provider

Procedure

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Local Provider tab, choose the Service Provider Settings tab.

  3. Choose the Edit pushbutton.

  4. Under RelayState Mapping, choose the Add pushbutton.

  5. Enter the application alias you agreed upon with the administrator of the identity provider and the relative path to the target application.

    Example Example

    Application Path and RelayState Alias

    RelayState

    Application Path

    private

    /example/private
    End of the example.

    Note Note

    The service provider supports adding URL parameters to the relay state alias. The service provider strips the URL parameters from the relay state alias and appends it to the matching application path, even if the application path already includes URL parameters. Using the example above, the service provider receives a relay state, private?test=true. The service provider redirects the client to /example/private?test=true.

    End of the note.

  6. Save your entries.

Result

If the relay state does not match any relay state known to the service provider, an error occurs.

If the relay state is empty, the service provider uses the default application path.

For more information, see Configuring the Default Application Path.