APM doesn't use RelayState value sent in Request

Question

I have trouble making RelayState work. I use APM as an IDP-initiated SP. I send RelayState with the assertion. The spec for sending RelayState to APM as a SP is unclear/absent, so I send it in the same way a RelayState is sent in a SP-initiated interaction (as x-www-form-urlencoded form data)
The guide (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/30.html) says:
Optional: In the Relay State field, type a value. The value can be an absolute path, such as hr/index.html or a URI, such as https://www.abc.com/index.html. 
It is where the service provider redirects users after they are successfully authenticated and have been allowed by the access policy. 
When APM receives the relay state from the Identity Provider in addition to assertion, then it uses the value received from the IdP to redirect the user. Otherwise, APM uses the value from this configuration.

The log seems to indicate that I send in RelayState correctly:
May  4 11:23:55 bigip-test debug apd[11857]: 01490000:7: modules/Authentication/Saml/SamlSPAgent.cpp func: "parseQueryData()" line: 403 Msg: IdP Initiated: RelayState: https://myhost.no/some/path/i/provided/in/relaystate

However, I'm not redirected to the url provided in RelayState after successful SSO. 
If I do not configure a default RelayState on the SP, SSO will fail.
If I do configure a default RelayState on the SP, SSO will succeed and the default RelayState will be used.

ingebrigt_maurs · Answer

Also, if I set a default RealyState on the SP, this will break SP-initiated SSO.
I set default RelayState on the SP to https://myhost.no/default/path
As a client, I go to https://myhost.no/intended/path. 
As expected I get redirected to the IDP, authenticate, and then I am redirected back to the SP ACS with RelayState https://myhost.no/intended/path. But unfortunately I am sent to https://myhost.no/default/path. Correct behaviour would have been to be sent to my intended url https://myhost.no/intended/path.

kunjan · Answer

Have you tried configuring https://myhost.no/intended/path as the RelayState on SP? What do you refer as default RelayState?

ingebrigt_maurs · Answer

Yes, I have tried configuring the RelayState on my SP.
I have set this to https://myhost.no/default/path 
It is this i refer to when I talk about 'default RelayState'. 
From the doc it is clear this setting should work as a default value: When APM receives the relay state from the Identity Provider in addition to assertion, then it uses the value received from the IdP to redirect the user. Otherwise, APM uses the value from this configuration.
When I sett RelayState on the SP, then this value is used. However, in my usecase the intended path will vary per SSO request, so I need to override the 'default RelayState', or not use a 'default RelayState'.

kunjan · Answer

Seems like bug with  RelayState, possibly a known issue. Suggest to raise a support case to get the fix.&nbsp;

michael_koyfma1 · Answer

Ok, I am a little bit confused here, so need to clarify.  Are you saying that APM is IDP and you are having issues with this config?  If so, what is your SP?  Is your goal to support both IDP and SP-initiated logons?  The reason for my confusion is you continue to cite documentation about APM acting as SP and how it handles RelayState parameter - but to me, it sounds like you are using APM as an IDP - and that documentation portion does not apply then.

Forum Discussion

APM doesn't use RelayState value sent in Request

6 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Distributed caching of authentication requests with NGINX Ingress Controller

Logging DNS Requests

F5 AWAF - bypass request based on the pressence of a request header - value

Large payload post requests aren't responding

Logging of DNS Requests and Responses without a DNS license