Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17070

SAML2 SP intiated SSO with AM as idp Proxy, RelayState is not returned from proxy after idp authentication



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 7.0.0, 6.5.3, 7.0.1
    • 6.5.4, 7.1.0, 7.0.2
    • SAML
    • Rank:
    • AM Sustaining Sprint 80, AM Sustaining Sprint 81
    • 5
    • Yes
    • Yes
    • No
    • Yes and I used the same an in the description


      Bug description

      The configuration is using SAML2 in standalone mode where AM is set up as an idp proxy, and the service provider is a third party application.  When initiating SSO from the SP side, the RelayState is used as a parameter to direct the user to the desired location after successful authentication from the SAML2 flow.

      On AM, the Idp proxy was able to Post the RelayState back to the SP after authenticating on the IDP, however, on 6.5.3 the RelayState is no longer Posted back to the SP with the SAML response.

      This has been tested without the IDP proxy between two AM instances acting as SP and IDP, and the RelayState is working as intended (user lands on the url set in RelayState) without setting any 'validation services' and 'Relay State URL List' in the hosted providers.

      How to reproduce the issue

      Follow the steps provided in following KB:



      Beware of the following bug which impacted set up.  Entities may not be added to CoT properly, use JATO-based console to remove and add entities to CoT on all hosted providers: https://bugster.forgerock.org/jira/browse/OPENAM-13942


      After completing set up, use similar example below to initiate SP SSO




      check HAR to see that RelayState is not post back to SP along with SAML response

      Expected behaviour
      IDP proxy Posts the RelayState back to SP
      Current behaviour
      IDP proxy does not post RelayState back to SP

      Work around

      If AM is acting as hosted SP, then the RelayState url value could be set in the 'Default Relay State URL'

      This would redirect users to the url indicated if there are no relay state specified in the response.

      Realm > Applications > Federation > Entity Providers > [hosted SP name] > Assertion Processing > Default Relay State URL




            chee-weng.chea C-Weng C
            jason.yuen Jason Yuen
            0 Vote for this issue
            6 Start watching this issue