OpenSAML and RelayState

Question

I had a look around the forum here and read a few threads, but I don't think there is an answer to my question. Having said that, I am by no means a SAML expert so some of the threads I read I did so with glossy eyes :).

I have inherited some code that uses OpenSAML (on the SP side) to generate a request and send it over to an ADFS implementation. The issue I am looking into is the fact that the user is always returned to the same url, regardless of an initial request for say a deeplink into the site. Now, on the ADFS side I know that that redirect back to the SP is static which won't help, but I am 99.9% sure that we are not passing any redirection values to the provider. From my research, I think I should be using the RelayState to pass the value so that it is echo'ed back to me, so that I can use it after processing the SAML Response.

My problem is that I am not clear on how to pass the RelayState in the first place. In the code I am working with I can see a class defined --

public class HTTPRedirectTransportSender extends HTTPServletTransportSender
{
    private static final transient Logger LOG = LoggerFactory.getLogger(HTTPRedirectTransportSender.class);

    public HTTPRedirectTransportSender(HttpServletResponse httpServletResponse)
    {
        super(httpServletResponse);
    }


    @Override
    protected BaseHttpServletResponseXMLMessageEncoder buildMessageEncoder()
    {
        return new HTTPRedirectDeflateEncoder();
    }

}  

.. and if I look at the HttpRedirectDeflateDecoder then I can see some logic about building the url and such. I've been searching for a while now but I haven't found an example that I am sure will be what I am looking for -- so I was hoping an expert out there might be able to help?

Answer 1

You're definitely thinking about it right. You'll want to save the user's originally entered URL and use it as the relay state.

For OpenSAML v3, you attach the relay state to the MessageContext. You'll have to find where your application is building the MessageContext and do something like this:

SAMLBindingSupport.setRelayState(messageContext, relayState);

This is a convenience method provided by the OpenSAML library; in the background, it's accessing the SAMLBindingContext subcontext from your MessageContext (creating it if necessary) and setting the relay state on that.

messageContext.getSubcontext(SAMLBindingContext.class, true).setRelayState(relayState);

Answer 2

RelayState is typically used for IDPInitiated as per this.

As per this, "Don't be confused by the fact that RelayState serves two completely separate purposes. For IdPInitiated, the RelayState specifies the landing page at the SP. For SPInitiated it's a way for the SP to maintain state information between sending the AuthnRequest and receiving the SAML response. RelayState may be sent along with the AuthnRequest and the IDP must return this RelayState along with the SAML response."