How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I redirect to a specific page after a successful IdP or SP initiated login in AM (All versions)?

Last updated Aug 4, 2021

The purpose of this article is to provide information on redirecting the user to a specific page after a successful Single Sign On (SSO) in AM. The SSO can be either IdP or SP initiated. This information only applies to standalone mode (where JSPs are invoked to initiate SSO) and when AM is the hosted entity provider.


2 readers recommend this article

Overview

You can redirect the user to a specific page after SSO using either the RelayState parameter or the goto parameter. The RelayState parameter takes precedence over the goto parameter.

The IdP is only responsible for redirection in the IdP initiated SLO flow. The SP does the redirect for the other flows (SP initiated SSO and SLO, and IdP SSO). In terms of AM, this means:

  • When AM is the hosted IdP, AM is only responsible for redirection in the IdP initiated SLO flow. This means you can configure valid URLs or URL resources in the hosted IdP configuration for the SLO flow, but you will need to validate URLs for the other flows on the SP side (outside of AM).
  • When AM is the hosted SP, AM is responsible for redirection in the SP initiated SSO and SLO flows, and also the IdP SSO flow. This means you can configure valid URLs or URL resources in the hosted SP configuration for all flows other than the IdP initiated SLO flow.

Redirecting the user after SSO

You should append the RelayState parameter or goto parameter and the required redirect URL to the login URL.

If you use the RelayState parameter, you must URL encode this value in the URL. For example, to redirect to https://host1.example.com, you would need to use:

RelayState=https%3A%2F%2Fhost1.example.com
Note

The login URL is specified against the agent as described in the Agent User Guides: Configuring AM Services Properties (Web) and Configuring AM Services Properties (Java).

Example Login URLs

The following example URLs show an IdP and SP initiated SSO, where the lines are folded to show you the query string parameters:

  • Using the RelayState parameter with an IdP initiated SSO and HTTP-POST binding: https://idp.acme.com:8443/openam/idpssoinit ?metaAlias=/idp &spEntityID=https%3A%2F%2Fsp.example.com%3A8443%2Fopenam &binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST &RelayState=https%3A%2F%2Fhost1.example.com
  • Using the RelayState parameter with a SP initiated SSO: https://sp.example.com:8443/openam/saml2/jsp/spSSOInit.jsp ?metaAlias=/sp &idpEntityID=https%3A%2F%2Fidp.acme.com%3A8443%2Fopenam &RelayState=https%3A%2F%2Fsp.example.com%3A8443%2Fopenam%2Fidm%2FEndUser
Note

The idpssoinit endpoint/JSP must be accessed using a GET request, not a POST when using the RelaySate parameter with IdP initiated SSO. If you are using the POST method to access this endpoint, it is generally due to a misconfiguration on behalf of the remote SP.

Improving security for redirects

To improve security, you can also specify a list of valid URLs for the RelayState parameter and a list of valid URL resources for the goto parameter. These URLs and URL resources are only validated for the flows where AM is responsible for redirection as outlined in the Overview section.

RelayState parameter

When you specify a URL list, the URL stated in the RelayState parameter must exist on the URL list for the user to be redirected. If you do not specify a URL list, all URLs specified in the RelayState parameter are considered valid.

You can configure this URL list in the console once you have set up your IdP or SP:

  • AM 6 and later console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers > [Provider Name] > Advanced > Relay State URL List and add the valid RelayState URLs.
  • AM 5.x console: navigate to: Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers > [Provider Name] > Advanced > Relay State URL List and add the valid RelayState URLs.

See Hosted Service Provider Configuration Properties - Advanced Settings for further information on the Relay State URL List.

goto parameter

When you specify a URL resource list, the resource of the URL stated in the goto parameter must exist on the URL resource list for the user to be redirected. If you do not specify a URL resource list, all resources included in URLs specified in the goto parameter are considered valid.

See Configuring Success and Failure Redirection URLs (AM 6.5.3 and later) or How do I configure a list of valid goto URL resources in AM 5.x, 6.0.0.x, 6.5.0.x, 6.5.1 and 6.5.2.x? for further information.

Using the RelayState parameter with the SAML2ServiceProviderAdapter doing the SSO

When using a SAML2ServiceProviderAdapter to do SSO using the postSingleSignOnSuccess() method, the RelayState parameter will return a random string during a SP initiated SSO. This is in line with the SAML spec -  the SP generates a random string and sends that as the ID of the RelayState and the IdP blindly returns the string. The SP should then decode that string and redirect to the actual URL.

To ensure the SP does decode this string, you need to use the SPCache.relayStateHash method to convert the string back to a URL. For example, using code similar to the following:

CacheObject c = (CacheObject) SPCache.relayStateHash.get(idpSuppliedGotoURL); if (c != null) { idpSuppliedGotoURL = (String) c.getObject();

See Also

How do I configure IdP or SP initiated Single Sign On in AM (All versions)?

How do I redirect to a specific page after a successful IdP or SP initiated logout in AM (All versions)?

FAQ: SAML federation in AM

SAML Federation in AM

JSP Pages for SSO and SLO

Class SAML2ServiceProviderAdapter

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15042 (Document that idpssoinit can only use RelayState as a GET parameter and not via POST)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.