Passing RelayState between PingFederate(IDP) OpenAM (SP) with Sp-initiated sso

0
votes

I have successfully configured SAML SSO with OpenAM as SP and PingFederate as IDP with SP-Initiated SSO and using Redirect-Post binding. I am using kerberos adapter for implementing SSO.

However I cannot pass RelayState parameter from OpenAM to PF and get it back as part of SAML auto post form after successful authentication. It always redirects to OpenAM Assertion Processing Service i.e. openam/metalias/sp

Things I tried -

  1. SAML authentication and custom redirect URL

  2. SSO - SAML, Redirect a user to a specified landing page after successful log in

I created binding in Idp in attributes mapping with name "RelayState" but it appears as part of signed SAMLResponse and not extra parameter in the auto post back form, so openam is not able to get RelayState.

I also tried passing RelayState as url-encoded as well as passing it with name TargetResource. But no luck.

<!-- template name: form.autopost.template.html -->

 #set( $messageKeyPrefix = "form.autopost.template." )

<html>
    <head>
        <title>$templateMessages.getMessage($messageKeyPrefix, "title")</title>
        <meta name="referrer" content="origin"/>
        <meta http-equiv="x-ua-compatible" content="IE=edge" />
    </head>
    <body onload="javascript:document.forms[0].submit()">
       <noscript>
            <p>
                <strong>$templateMessages.getMessage($messageKeyPrefix, "noteTitle"):</strong> $templateMessages.getMessage($messageKeyPrefix, "note")
            </p>
        </noscript>
        <form method="post" action="$action">
            #foreach( $name in $formControls.keySet() )
            <input type="hidden" name="$escape.escape($name)" value="$escape.escape($formControls.get($name))"/>
            #end
            <input type="hidden" name="RelayState" value="https://www.google.com"/>
            <noscript><input type="submit" value="$templateMessages.getMessage($messageKeyPrefix, "resume")"/></noscript>
        </form>
    </body>
</html>

I out of curiosity modified pingfederate autopost form to foce include RelayState parameter and it it worked.

So I need to find a way where I can pass this information to PF and PF can then pass it back to SP-OpenAM after authentication done adding extra parameter to SAMLResponse form.

1
single-sign-onkerberossaml-2.0openampingfederate
For SP-init, by spec the SP should send an opaque value to the IdP in the RelayState parameter of the AuthnRequest, not a URL. This value should be the key to a key-value pair captured at the SP where the value holds the location of where the user should be redirected after the SSO is complete. PingFederate will respond back to the AuthnRequest with that same value in RelayState. The SP should look up where the user is to be redirected and send the user off. I would suspect that you aren't starting the SP-init transaction properly, but I am not familiar with OpenAM to help more. - Andrew K.
How are you triggering SP-initiated SSO from OpenAM? Are you using 'saml2/jsp/spSSOInit.jsp' (equivalent to URI 'spssoinit')? - Bernhard Thalmayr
@BernhardThalmayr Hi, we are using Redirect-Post technique for Sp-init. So SP will redirect to IDP. it is driven from Authentication Module. In module we configure IDP entity Id and in federation we have circle of trust. So when request goes to specific module in circle of trust in federation. - Aniket Dandawate
If you are using SAML2 authentication module, then actually OpenAM will sent back the browser to the URL which was used to trigger authentication (value of 'goto' parameter) after SAML flow succeeded. Do you want to end up somewhere else? - Bernhard Thalmayr
@BernhardThalmayr - Yes, I am using SAML2 Authentication module. Module name is PingSAML.. so when I hit the host:port/openam/UI/Login?module=PingSAML&goto=/openam/… then it redirects to IDP and on sucess it goes to "/openam/Consumer/metaAlias/sp". IDP is not aware of goto/relaystate parameter.. neither it sends it back to SP in response. I have tried using "RelayState" instead of "goto" as key in redirect request but same result. Always goes back to /openam/Consumer/metaAlias/ - Assertion Consumer Service The problem is goto parameter is not populated - Aniket Dandawate

1 Answers

1
votes

Using 'saml2/jsp/spSSOInit.jsp' instead of SAML2 authentication module URL solved this issue.