Spring SAML: how to push the requested URL to SAML as RELAY_STATE?

Question

For example, you have TWO different folders on your web site, /folderA and /folderB

You can set the common loginURL for both of these pages in Spring Security.

I use Spring SAML. It aal

1. Spring Security: Once users try to get /folderA or /folderB, they will be redirected to the "local" LoginURL first (domain.com/auth).
2. Spring SAML: LoginURL page (domain.com/auth) will redirect the user to the remote SAML SSO provider (for example, myapp.okta.com). The endpoint is specified in metadata.xml.
3. SAML SSO provider redirects the user to SSO url (configured in OKTA, let's say sso.domain.com/auth/sso).
4. I want to use the original requested URL (in this case, /folderA or /folder) in the SSO controller (sso.domain.com/auth/sso). I want to make the logic dependent on the requested URL.

So my question is

How to inject these folder URLs into the request to SAML SSO Provider using Spring SAML? I know how to implement it without Spring SAML. So I am looking how to configure Spring SAML for it.

I think that RELAY_STATE is used for it. But I can’t understand on how to retrieve it at the steps (1) and/or (2)

Answer 1

Relay state is passed as query parameter along with SAMLRequest. Passing relay state depends on the toolkit you use so you would need to check their documentation to see how it can be done. I found this useful thread online http://forum.spring.io/forum/spring-projects/security/saml/125415-spring-saml-integration-authentication-extended-info-relaystate

Also, you can follow this link once session is established via SAML (in that case you can skip passing session token) http://developer.okta.com/use_cases/authentication/session_cookie#initiate-a-saml-sso-with-the-session-token. You can use the single sign on url from Sign on Tab -> View Setup instructions and make a GET request to that passing in the RelayState. That will initiate take you to relay state.