locked
Does Azure support dynamic RelayState? RRS feed

  • Question

  • The docs for Azure cover RelayState (https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-single-sign-on-portal) as it's a fixed parameter.  In the SAML world, it is used for Service Provided (SP) initiated SSO flows to allow the redirect to happen for different URLs.

    The RelayState parameter in ADFS is generated according to these docs (https://social.technet.microsoft.com/wiki/contents/articles/13172.ad-fs-2-0-relaystate-generator.aspx).  Does Azure AD have similar encoding for it?  I'm unable to find any mentions of whether RelayState works the same way as it does in the ADFS setting.

    Tuesday, November 20, 2018 3:22 AM

Answers

  • If you are using Relay State in SP initiated flow, it is meant to be used as an opaque identifier which is sent along with the SAML request to the STS and passed back without any modification or inspection back to the SP. 

    In the IDP initiated flow, Relay State is used to redirect the user to the target resource URL.  You can get more details about this SAML V2.0 technical description. In Azure AD , this is static as described in the article you mentioned and is used in IDP scenarios.

    I am assuming that you want to send different values in Relay State along with the SAML request. If that's the case then Azure AD will send it back to the SP without any modification. If your application can use this and redirect the user then it should work.

    The ADFS generator is provided to generate the encoded URL properly in IDP initiated flows. In Azure AD it's automated and follows similar encoding. 

    Hope this helps.

    Tuesday, November 20, 2018 9:31 AM
  • It appears adding the "?RelayState=https://www.newrelaystatesite.com" parameter did successfully set the Relay State for Azure.

    Thank you.

    Wednesday, December 12, 2018 9:16 PM

All replies

  • If you are using Relay State in SP initiated flow, it is meant to be used as an opaque identifier which is sent along with the SAML request to the STS and passed back without any modification or inspection back to the SP. 

    In the IDP initiated flow, Relay State is used to redirect the user to the target resource URL.  You can get more details about this SAML V2.0 technical description. In Azure AD , this is static as described in the article you mentioned and is used in IDP scenarios.

    I am assuming that you want to send different values in Relay State along with the SAML request. If that's the case then Azure AD will send it back to the SP without any modification. If your application can use this and redirect the user then it should work.

    The ADFS generator is provided to generate the encoded URL properly in IDP initiated flows. In Azure AD it's automated and follows similar encoding. 

    Hope this helps.

    Tuesday, November 20, 2018 9:31 AM
  • I am assuming that you want to send different values in Relay State along with the SAML request. If that's the case then Azure AD will send it back to the SP without any modification. If your application can use this and redirect the user then it should work.

    The ADFS generator is provided to generate the encoded URL properly in IDP initiated flows. In Azure AD it's automated and follows similar encoding. 

    Hi Manoj,

    When you say that Azure AD can accept different values in Relay State and send it back to the SP, and that it's automated and follows similar encoding as ADFS, what does an example of that look like?

    Are you saying we can pass the Relay State into Azure the same as we do for ADFS like so:

    https://myapps.microsoft.com/signin/Test/0a98ab36-b712-416c-ad7c-835fa0606026?RelayState=https://www.newrelaystatesite.com

    Is that correct?

    Thank you.


    • Edited by TDed Tuesday, December 11, 2018 8:12 PM
    Tuesday, December 11, 2018 8:11 PM
  • It appears adding the "?RelayState=https://www.newrelaystatesite.com" parameter did successfully set the Relay State for Azure.

    Thank you.

    Wednesday, December 12, 2018 9:16 PM
  • Yes. I am glad it's working as expected. Thanks for updating the thread.
    Thursday, December 13, 2018 8:10 AM
  • was there any caveats to get this to work? 

    did you have a relaystate configured in your enterprise app? 

    Monday, September 23, 2019 6:00 PM