function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
hdzhdz 

Federated SSO configuration questions

Hello,

 

- The SSO Implementation Guide says that when defining the start page when using SAML 2.0, the start page is  "the page
the user attempted to access before they were authenticated. The SAML 2.0 start page must support Sp-init single sign-on."

 

How do we make the start page support Sp-Init SSO?

 

- In the same place it is also said that  "If you are using SAML 2.0, you can also use the RelayState parameter to control
where users get redirected after a successful login."

 

How may we enable the use of RelayState? Where should we define it?

 

Thanks,

Haim

Scott T.Scott T.

Are you already using a solution that supports the SAML 2.0 standard?  Or do you plan to build such features yourself?

 

RelayState is a query string parameter that can be given from the SP (along with the SAML request) to the IdP, and the IdP is supposed to return it back to the SP (along with the SAML response) after authentication is complete.

 

Is SFDC your SP?  Then if your IdP is sending a URL/path within your SFDC environment in the RelayState parameter, then SFDC will redirect the user there after it validates the SAML response.
hdzhdz

I am working on such solution now.  The identity provider is CA SiteMinder. force.com is the service provider. How do I make force.com include the RelayState in the page containing the assertion request for service provider initiated flow?

 

Thanks,

Haim
Scott T.Scott T.

Check CA SiteMinder documentation.  There should be a way to perform IdP init SSO using specially crafted URLs to SiteMinder components and at that point give a RelayState parameter.  I would expect SiteMinder to also return the RelayState it receives from an SP - so an SP initiated use case should also work.
hdzhdz

Thanks, but my question was actually referring to a SP-initiated SSO. In this case, force,com will create a SAML request (AuthnRequest) and redirect the form containing it to the identity provider, and I need the page to include the RelayState attribute, with the URL the user is trying to access. How do I configure force.com to add RelayState to the form containing the assertion request? Or is RalayState always added?
Scott T.Scott T.

RelayState should be always added if the user requests a page and is not logged in.