A URL List for the Relay State You're In
By docteger on Dec 21, 2009
When an identity provider and a service provider are communicating using SAMLv2 (a redirect or an assertion exchange, for example), the
RelayStateparameter is used to store the URL to which the user will be redirected after the action (single sign-on, single log out or termination, for example) is complete. (If a
RelayStatevalue is not specified, the value of the
defaultRelayStateproperty in the extended metadata configuration of the entity provider is used. See Constructing SAML Messages in the Sun OpenSSO 8.0 Developer's Guide for more information.) To avoid the
RelayStateparameter's being used to redirect the user to an invalid site, the Relay State URL List has been added as an Advanced property in the Standard Administration Console to the hosted identity provider, the hosted service provider and the Fedlet metadata. The value of this property is essentially a white list of URLs. If the property contains no URLs, no further check is done and the user is redirected to the URL value of the
RelayStateparameter as per usual. If URLs are specified, both the hosted identity provider and hosted service provider (or Fedlet, if applicable) will check the value of the
RelayStateparameter in the communication against the URLs and, if there is a match, redirection to the value of the
RelayStateparameter is allowed. If there is no match, the user is shown a browser error indicating Invalid Relay State URL specified. To add to the Relay State URL List, log in to the OpenSSO Standard Administration Console as administrator.
- Click the Federation tab.
- Click the name of the appropriate hosted entity provider from the Entity Providers table.
- Click the Advanced tab.
- Click Relay State URL List (or scroll to the page's bottom).
- Add one or more URLs based on the following supported patterns.
http://\*:\*/\*- (if no port number is specified, defaults to 80 as the protocol is http)
https://\*:\*/\*- (if no port number is specified, defaults to 443 as the protocol is https)
http://\*:\*/\*?\*- (if query string is present)
http://host:port/-\*-/test- (one level wild card support)
- Click Save.