We may have found a regression related to SAML RelayState.
It’s working for 6.5.2, but not anymore for latest 7.0.0 (something has been broken between march and now)
We’ve found that after an SP initiated SSO authentication request (login successful), when AM redirects back to the fedlet (/saml/fedletapplication) with the SAML Response (contains encrypted assertions, so it should not be some error response), that redirect doesn’t contains anymore the RelayState parameter, so we end up doing our own final redirection on a default page (but not the expected one)
SP initiated SSO from IG redirects to that URL:
there is a variable here because I took it from the IG config, but the real redirect have a real properly-encoded URI in place (the final goto)
On the AM login page, I get that URL in the navigator bar in my browser:
(decomposed for readability), at this point no RelayState anymore (but we have a request ID, so maybe AM keep that value somehow in a session...)
And the final redirect to /fedletapplication (after successful authn) contains SAMLResponse a strange query parameter called s220c4ed1cabfec4a4c8b9da522d1d8ced784635f2...