Question about RelayState in SAML authentification
Hello,
I have a question about the utility in RelayState durning the exange with a IDP.
The IDP tell me that the RelayState is not mandatory but if i am not mistaken in Pega activity the relaystate is mandatory to give access to Pega.
What is your recommandation ? force the IDP to give me a RelayState ? or accept to modifiy the activity to ignore the blank RelayState?
for me the RelayState in pega check return request to be sure that it was initiate by Pega so if ignore the relaystate it was a security problem.
best regards.
Yeun-Ho Chung
***Edited by Moderator Marissa to change type from General to Product, update Product details***
Accepted Solution
Updated: 9 Oct 2020 4:41 EDT
Pegasystems Inc.
US
Hi,
We do require a RelayState parameter.
When using Service Provider initiated request, when you access the Pega URL first, we generate the RelayState and send it with the SAMLRequest to the IDP. The IDP will then echos it back along with the SAMLResponse to the AssertionConsumerService. The RelayState is generate value and in a database record associated we store the original URL the user requested. The AssertionConsumerSerivce then redirects back to that original URL after it's done processing. (IDP shouldn't have to do anything here)
When using a IDP initiated request, when you access the IDP first, we require a RelayState parameter along with the SAMLResponse. The value should be the URL of the requested resource. For example https://<prpc_host>/prweb/PRAuth/<AuthAlias>. This is important because with the Pega Platform your AuthService record is the access point and part of the relationship created between SP and IDP. Since you can define more than one AuthService record the IDP has to at least use the AuthService URL as the default RelayState for IDP initiated requests.
Hi,
We do require a RelayState parameter.
When using Service Provider initiated request, when you access the Pega URL first, we generate the RelayState and send it with the SAMLRequest to the IDP. The IDP will then echos it back along with the SAMLResponse to the AssertionConsumerService. The RelayState is generate value and in a database record associated we store the original URL the user requested. The AssertionConsumerSerivce then redirects back to that original URL after it's done processing. (IDP shouldn't have to do anything here)
When using a IDP initiated request, when you access the IDP first, we require a RelayState parameter along with the SAMLResponse. The value should be the URL of the requested resource. For example https://<prpc_host>/prweb/PRAuth/<AuthAlias>. This is important because with the Pega Platform your AuthService record is the access point and part of the relationship created between SP and IDP. Since you can define more than one AuthService record the IDP has to at least use the AuthService URL as the default RelayState for IDP initiated requests.
You should not modify the ACS processing to set the default RelayState when one is not provided. Some IDP's have a way to set default RelayState as part of the relationship configuration, example Okta. Others require the default RelayState to be a parameter in the initial IDP initiated request. For SP initiated request the sent RelayState should be echoed back. You shouldn't have to "force" anyone to do anything...this is part of normal SAML 2.0 and unless you're using some custom developed IDP you shouldn't have a problem with this.
EDIT:
The RelayState also has nothing to do with determining if the SAMLResponse received was initiated from a Request from Pega. That is handled with normal SAML attributes like "inResponseTo".
Hope this help,
--Chris