How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I redirect to a specific page after a successful IdP or SP initiated login in Identity Cloud or AM (All versions)?

Last updated Mar 8, 2023

The purpose of this article is to provide information on redirecting the user to a specific page after a successful Single Sign On (SSO) in ForgeRock Identity Cloud or AM. The SSO can be either IdP or SP initiated. This information only applies to standalone mode (where JSPs are invoked to initiate SSO) and when Identity Cloud or AM is the hosted entity provider.


2 readers recommend this article

Overview

You can redirect the user to a specific page after SSO using either the RelayState parameter or the goto parameter. The RelayState parameter takes precedence over the goto parameter.

The IdP is only responsible for redirection in the IdP initiated SLO flow. The SP does the redirect for the other flows (SP initiated SSO and SLO, and IdP SSO). In terms of Identity Cloud and AM, this means:

  • When Identity Cloud or AM is the hosted IdP, Identity Cloud or AM is only responsible for redirection in the IdP initiated SLO flow. This means you can configure valid URLs or URL resources in the hosted IdP configuration for the SLO flow, but you will need to validate URLs for the other flows on the SP side (outside of Identity Cloud or AM).
  • When Identity Cloud or AM is the hosted SP, Identity Cloud or AM is responsible for redirection in the SP initiated SSO and SLO flows, and also the IdP SSO flow. This means you can configure valid URLs or URL resources in the hosted SP configuration for all flows other than the IdP initiated SLO flow.

Redirecting the user after SSO

You should append the RelayState parameter or goto parameter and the required redirect URL to the login URL.

If you use the RelayState parameter, you must URL encode this value in the URL. For example, to redirect to https://test.example.com, you would need to use:

RelayState=https%3A%2F%2Ftest.example.com
Note

You should specify the login URL in your application or application login page. If you use an Agent, you can specify the login URL against the agent as described in AM Login URL (Web Agents) or AM Login URL List (Java Agents).

Identity Cloud and AM do not set or inject these parameters into URLs; they only validate them if they exist.

Example Login URLs

The following example URLs show an IdP and SP initiated SSO, where the lines are folded to show you the query string parameters:

  • Using the RelayState parameter with an IdP initiated SSO and HTTP-POST binding (idpssoinit): https://idp.example.com:8443/am/idpssoinit ?metaAlias=/idp &spEntityID=https%3A%2F%2Fsp.example.com%3A8443%2Fopenam &binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST &RelayState=https%3A%2F%2Fam.example.com
  • Using the RelayState parameter with a SP initiated SSO (spSSOInit.jsp): https://sp.example.com:8443/am/saml2/jsp/spSSOInit.jsp ?metaAlias=/sp &idpEntityID=https%3A%2F%2Fidp.example.com%3A8443%2Fam &RelayState=https%3A%2F%2Fsp.example.com%3A8443%2Fopenam%2Fidm%2FEndUser
Note

The idpssoinit JSP must be accessed using a GET request, not a POST when using the RelaySate parameter with IdP initiated SSO. If you are using the POST method to access this endpoint, it is generally due to a misconfiguration on behalf of the remote SP.

Improving security for redirects

To improve security, you can also specify a list of valid URLs for the RelayState parameter and a list of valid URL resources for the goto parameter. These URLs and URL resources are only validated for the flows where Identity Cloud or AM is responsible for redirection as outlined in the Overview section.

RelayState parameter

When you specify a URL list, the URL stated in the RelayState parameter must exist on the URL list for the user to be redirected. If you do not specify a URL list, the behavior is as follows:

  • Identity Cloud; AM 6.5.3 and later: Identity Cloud and AM only redirect to RelayState URLs that match its deployment domain; for example, example.com. Any other URL will cause a browser error.
  • Pre-AM 6.5.3: All URLs specified in the RelayState parameter are considered valid.

You can configure this URL list as follows once you have set up your IdP or SP:

  • Identity Cloud admin UI: go to Native Consoles > Access Management > Applications > Federation > Entity Providers > [Provider Name] > Advanced > Relay State URL List and add the valid RelayState URLs.
  • AM admin UI: go to Realms > [Realm Name] > Applications > Federation > Entity Providers > [Provider Name] > Advanced > Relay State URL List and add the valid RelayState URLs.

See the SAML v2.0 Guide for further information on the Relay State URL List - IdP and SP.

goto parameter

When you specify a URL resource list, the resource of the URL stated in the goto parameter must exist on the URL resource list for the user to be redirected. If you do not specify a URL resource list, all resources included in URLs specified in the goto parameter are considered valid.

See Configure success and failure redirection URLs (Identity Cloud), Configure success and failure redirection URLs (AM 6.5.3 and later) or How do I configure a list of valid goto URL resources in AM 6.0.x, 6.5.0.x, 6.5.1 and 6.5.2.x? for further information.

Using the RelayState parameter with the SAML2ServiceProviderAdapter doing the SSO

When using a SAML2ServiceProviderAdapter to do SSO using the postSingleSignOnSuccess() method, the RelayState parameter will return a random string during a SP initiated SSO. This is in line with the SAML spec - the SP generates a random string and sends that as the ID of the RelayState and the IdP blindly returns the string. The SP should then decode that string and redirect to the actual URL.

To ensure the SP does decode this string, you need to use the SPCache.relayStateHash method to convert the string back to a URL. For example, using code similar to the following:

CacheObject c = (CacheObject) SPCache.relayStateHash.get(idpSuppliedGotoURL); if (c != null) { idpSuppliedGotoURL = (String) c.getObject();

See Also

How do I configure IdP or SP initiated Single Sign On in Identity Cloud or AM (All versions)?

How do I redirect to a specific page after a successful IdP or SP initiated logout in Identity Cloud or AM (All versions)?

FAQ: SAML2 federation in AM

SAML 2.0 federation in Identity Cloud

SAML 2.0 federation in AM

SSO and SLO in standalone mode (Identity Cloud)

SSO and SLO in standalone mode (AM)

Class SAML2ServiceProviderAdapter

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.