Search code examples
saml-2.0okta

How do I hand RelayState correctly to Okta's ACS URLs?

How do I hand RelayState correctly to Okta-side ACS URLs so that it gets to the IdP as entered?

The Okta-provided ACS URLs for Identity Providers don't handle SP-initiated RelayState as I expect.

I put ?RelayState=hello on an ACS URL and the IdP gets a SAMLRequest with a RelayState of %3FRelayState%3Dhello which decodes to ?RelayState=hello.

If I put ?RelayState= instead then the RelayState with the SAMLRequest is blank as I expect.

I've attached NetworkData.xml which is a capture from Internet Explorer. On line 447 column 53, you can see that the RelayState encoded by Okta to be POSTed to https://fs.research.verafin.local/adfs/ls includes ?RelayState in it.

AD FS's IdP SSO service at https://fs.research.verafin.local/adfs/ls decodes and re-encodes the RelayState preserving the broken value it was given and drops it into a form to be POSTed to https://verafin.oktapreview.com:443/sso/saml2/0oaa25fc86YRTkyb60h7 (Okta ACS URL).

It then redirects to https://verafin.oktapreview.com/?RelayState=hello&fromLogin=true HTTP/1.1

Is this a bug in Okta's ACS implementation?

How do I get Okta ACS URLs to accept RelayState in GET requests (SP initiated SSO with RelayState)?

Steps to Reproduce

  1. Copy the ACS URL from an Identity Provider in Okta
  2. Paste it into the browser with ?RelayState=hello after it
  3. Visit resulting URL

How do I hand RelayState correctly to Okta-side ACS URLs so that it gets to the IdP as entered?

Solution

  • The accepted answer is no longer current, Okta recommends against using fromURI now and recommends using SAML DeepLinks as defined here

    Redirect with SAML deep links

    Use SAML deep links to automatically redirect the user to an app after successfully authenticating with a third-party IdP. To use deep links, assemble these three parts into a URL:

    SP ACS URL
For example: https://{myOktaDomain}.com/sso/saml2/:idpId
The app to which the user is automatically redirected after successfully authenticating with the IdP
For example: /app/:app-location/:appId/sso/saml
Optionally, if the app is an outbound SAML app, you can specify the relayState passed to it.
For example: ?RelayState=:anyUrlEncodedValue

    The deep link for the above three parts is: https://{myOktaDomain}.com/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue