TechQA.

PingFederate is not sending back relayState in its response

2.5k views Asked by At

I am using PingFederate as a Idenity Provider. My application(Service Provider) sends RelayState to PingFederate. But on successful authentication, I am not getting the RelayState back.

By RelayState, my understanding is that its the state information which the ServiceProvider will need on successful authentication at the PingFederation end.

Please correct me If I am wrong.

saml-2.0 pingfederate
Original Q&A
2

There are 2 answers

3
Vishwanath Washimkar On

PingFederate seems to be dealing with RelayState in a different but non-standard way. Following is the link for reference :

https://documentation.pingidentity.com/pingfederate/pf84/index.shtml#concept_idpEndpoints.html

Optional Parameter TargetResource or TARGET in the IdPEndPoint URL as parameter. The value of this must be a URL and URL Encoded.

The is different from what the SAML2 Specification http://docs.oasis-open.org/security/saml/v2.0/

I am using HTTP POST binding and this is what the spec says for

3.5.3 RelayState

RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message independent of any other protections that may or may not exist during message transmission. Signing is not realistic given the space limitation, but because the value is exposed to third-party tampering, the entity SHOULD ensure that the value has not been tampered with by using a checksum, a pseudo-random value, or similar means. If a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact data it received with the request into the corresponding RelayState parameter in the response. If no such value is included with a SAML request message, or if the SAML response message is being generated without a corresponding request, then the SAML responder MAY include RelayState data to be interpreted by the recipient based on the use of a profile or prior agreement between the parties.

WSO2 seems to echo whatever we send to it as a RelayState value.

BTW I am using PingFederate 8.2.11.

0
Sam On

What version of PingFederate are you on?

Since you're getting relay state from the SP, you should be seeing an AuthNRequest posted to your PingFed endpoint.

You can use Firefox with SSO-Tracer or SAML-Tracer to validate you're getting a relay state posted to Ping and view the response going back.

Related Questions in SAML-2.0

Related Questions in PINGFEDERATE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions