What is RelayState in SAML and how to configure RelayState on AS ABAP
What is RelayState?
As OASIS describes:
“Sometimes a binding-specific field called RelayState is used to coordinate messages and actions of IdPs and SPs, for example, to allow an IdP (with which SSO was initiated) to indicate the URL of a desired resource when communicating with an SP.”
In other words, RelayState is an URL parameter that we use to say to our Identity Provider where he should send the response back (directly to WebGUI? Fiori? NWBC?…).
Identity Provider-Initiated vs Service Provider-Initiated
To correctly setup the RelayState, you need to understand the difference between IDP-Initiated and SP-Initiated authentication flow.
The SP-Initiated authentication flow is when you type the Service Provider URL and it redirects to the IDP and therefore the IDP knows who is initiating the SAML authentication flow. This is important because the Identity Provider can serve more than one SP, so he knows who is sending the request. We do not need to modify the URL to tell the IDP who we are.
The IDP-Initiated is when you type the IDP URL on the browser and therefore the IDP does not know who is sending the SAMLRequest. That is where the saml2sp comes handy. We can use the http://idpurl?saml2sp=spname. This is described here.
Prerequisites to use RelayState
- You already have a landscape authenticating via SAML2
- You are using an IDP-initiated authentication flow
How to configure RelayState on AS ABAP
- First, you can open the SAML2 transaction from your AS ABAP through SAPGUI.
- Click com Service Provider Settings and scroll-down to RelayState Mapping.
- As you can see, we have two columns: RelayState and Application Path. On the first one you can use any name because it is just an alias (we will use this name as an URL parameter). The second one is the path to your URL/Service (e. g. /sap/bc/…).
- Therefore, create an alias to your service and specify the path.
- That is it! You have configured the RelayState. Let’s test it.
- Type the URL of your IDP using the parameter saml2sp and the RelayState.
- In my case, it would be: http://myidpurl:50200/saml2/idp/sso?saml2sp=ABAP_N50_SP&RelayState=fiori
- As you can see, I have been redirected to Fiori and not to the Default path.
To conclude, RelayState is an URL parameter that we can use to redirect the user to a different application after the authentication flow finishes.
Security Assertion Markup Language (SAML) V2.0 Technical Overview
thank you for your blog and the comprehensive explanation on the RelayState usage.
If there is no relay state mapping what is going to be the system behavior? Do we have a default value we can always use as default for RelayState?