Forum Discussion

Posterus_85681's avatar
Posterus_85681
Icon for Nimbostratus rankNimbostratus
Sep 06, 2016

Dynamic "RelayState" for iDP initiated connections

We use APM for idp initiated SAML assertion and have it working for a number of SaaS applications. We have a new application that requires the "RelayState" to be set, so that users goto a specific location in the application.

 

The "RelayState" needs to be dynamic (changed based on a session variable)

 

We have tried editing the External SP connector and changing the RelayState to: %{session.custom.relaystate}, however the variale never gets inserted we just see the literal text in the SAML assertion.

 

Any ideas?

 

APM
application delivery

4 Replies

Sort By
  • Salim_83682's avatar
    Salim_83682
    Historic F5 Account
    Sep 06, 2016

    Hi,

     

    I don't believe that using a session variable for the RelayState field is currently supported.

     

    I have done something similar in the past with APM as SP that may work for APM as IdP (at least it's worth testing). A "temporary" internal RelayState session variable gets created when the policy runs (if you debug your policy you can see it); in this particular case, it's always named:

     

    saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState

    You may be able to set your RelayState using a Variable assign in the VPE right before your Resource Assignment. In this case, you could match it with your session.custom.relaystate

     

    If the variable doesn't work in the APM as IdP scenario, you can try to debug your policy and look into sessiondump and /var/log/apm outputs to see if you find another similar variable that you could use.

     

    Otherwise, I suggest you open a case with F5 Support to request the feature to be added.

     

    Let me know how it turns out.

     

    Salim

     

    • Posterus_85681's avatar
      Posterus_85681
      Icon for Nimbostratus rankNimbostratus
      Sep 07, 2016

      Hi Salim,

       

      How did you find this saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState temporary variable?

       

      Could you modify it?

       

      Regards, Peter

       

    • AJ_01_135899's avatar
      AJ_01_135899
      Icon for Cirrostratus rankCirrostratus
      Sep 28, 2016

      Did you ever get this working? We're running in to a similar problem with an IdP initiated SAML SSO, with deep linking (via relaystate) required...

       

    • amass87_221296's avatar
      amass87_221296
      Icon for Nimbostratus rankNimbostratus
      Nov 24, 2016

      Anyone have more information on this. Setting saml./Common/(INSERT_ACCESS_PROFILE_NAME_HERE)_act_saml_auth_ag.RelayState doesn't actually populate RelayState when the POST is sent to the SP.