Reputation: 378
Default RelayState for Google for Work SAML App
I am trying to configure BIME Analytics as a service provider (SP) to use Google for Work as a SAML Identity Provider (IdP).
Following the instructions at https://support.google.com/a/answer/6087519?hl=en I am able to perform SP initiated authentication. This means if I visit https://.bime.io/portal and click the SAML login button, I am redirected to a Google login page and after entering my Google for Work credentials am able to access my BIME portal page.
Unfortunately, I cannot get IdP initiated authentication to work. That is, from Gmail for example, if I open the app launcher and click on the icon for my BIME SAML app, it will take me into BIME without any authentication issues, but then I get a BIME dashboard not found error.
BIME support was able to identify that this is because I was not sending a RelayState parameter value which they require. When I start in BIME, I'm on their webpage and there is a hidden RelayState value that is sent to Google to let it know where to send me after I log in. However, when I start in Google, that value is not set. BIME support was able to configure the connection in Okta because Okta has a "Default RelayState" field that they could hardcode a value into.
For Google SAML apps, how do I specify a default RelayState value to enable IdP initiated authentication into a SAML app?
Upvotes: 4
Views: 7717
Answers (2)
Reputation: 6043
The relaystate URL you are looking for is
https://www.google.com/a/[DOMAIN]/ServiceLogin?continue=https://mail.google.com
More info here
Upvotes: 1
Reputation: 58
Yesterday I took a look at the IdP SAML setup page in G Suite and noticed there is an optional "Start URL" field.
I also noticed in the help documentation to configure pre-integrated SAML applications that the "Start URL" field was frequently used.
Since the configurable parts of an IdP response are:
- SAMLResponse With Assertion (including "Assertion Consumer Service URL" and "Entity ID" fields in G Suite config page)
- RelayState parameter
I had to guess that the "Start URL" is likely the field to hold the RelayState parameter. Considering RelayState is an optional--but important and commonly used--part of the SAML integration this makes a lot of sense. It also explains why the field is optional, and directly below the ACS and Entity ID fields.
This Oracle blog post references the Start URL field and suggests one of its uses is to contain the unsolicited RelayState value:
Optionally enter a Start URL for Google IdP Initiated SSO operations, where the user will click on the SAML Application partner at Google to be redirected to the Application at OAM: this would be the protected application URL, or unsolicited Relay State.
So while I can't test myself at the moment, I think it's safe to say this "Start URL" field is what you're looking for to set your RelayState value.
Upvotes: 4
Related Questions
- Google SAML app_not_configured_for_user / equivalent of prompt=select_account SAML
- What is exactly RelayState parameter used in SSO (Ex. SAML)?
- Google Apps SAML2 behavior with external users
- OpenSAML and RelayState
- How to include relayState parameter in SAML single Logout request using Spring SAML extension
- Spring SAML: how to push the requested URL to SAML as RELAY_STATE?
- SAML / is RelayState required for signed logout request?
- Google Apps SAML SSO enabled but normal users still can login using google.com/a/domainame.com
- SAML Response for Google apps
- Where to redirect user after Google SAML Sign Out?