Setting the RelayState parameter manually with a Sentry SAML STS/IdP Policy

If a RelayState parameter is included with the request into the Sentry SAML STS/IdP policy, Sentry will keep this value and return it in the SAMLResponse form.

However, with IdP initiated SAML SSO flows - and sometimes with SP initiated flows - there is no incoming RelayState parameter even if the use case (the SP) requires a RelayState in the SAMLResponse.

You can update the RelayState parameter of the form Sentry generates by using a task list on the SAML STS/IdP policy, set to run as the "Encoded Response Processing".  




The task list requires a sample document that is representative of the XHTML form Sentry returns to the browser after successfully processing the request to the SAML STS/IdP policy.

The task list utilizes the Map Attributes to XML task to modify the RelayState parameter.  The mapping task needs to be configured with a custom XPath expression in order to set the value of the RelayState parameter.

(//ns1:div/ns1:input[@name='RelayState'])/@value

 The value can be constant or dynamic. Select the appropriate source in the "Map From" drop down then fill in the value (if applicable) next to the XPath expression.  The example below shows a constant value being mapped into the RelayState attribute.



An example task list is attached, the import password is password.

Have more questions? Submit a request

0 Comments

Article is closed for comments.