Dynamic callback URL with mod_auth_mellon pingfederate

Question

We configured our SPA with mod_auth_mellon and the SP Initiated setup works well. We now want to add the ability to dynamically route to SPA URL which initiated the SSO SAML call.

Below is the current flow

1. User opens the URL http://foo.com/user/1
2. Session is expired, so the SP initiates SSO handshake and redirects user to IDP (Ping Federate).
3. User logins on IDP and after successful authentication is redirect to http://foo.com/sso_callback

In Step(3) we now want to redirect back to http://foo.com/user/1. What configuration changes should I make in SP / IDP configuration to enable dynamic routing?

Answer 1

If you are using SAML 2.0 then you want to use the RelayState. When creating your AuthN request in step 2, you will want to make sure that you as the Service Provider are including your desired RelayState. The value you provide to the IDP for RelayState will be carried through the transaction and given back to you as a URL parameter in Step 3 when the user POSTs to your ACS @ http://foo.com/user

Here is an example flow:

1. User opens the URL http://foo.com/user/1
2. Session is expired, so the SP redirects the user to the IDP with an AuthN token AND a RelayState value of http://foo.com/user/1
3. IDP Authenticates user
4. IDP directs the user to POST a SAMLResponse token to the SP ACS @ http://foo.com/sso_callback, and also includes an additional URL Parameter for RelayState
5. SP consumes and validates SAMLResponse at the ACS, and if successful then redirects the now active sessioned user to the value contained in the RelayState parameter

On the off chance you are not doing SP init SSO and are instead doing a generic redirect to an IDP initiated SSO Url from PingFederate, you can add the url parameter TargetResource to your IDP initiated SSO redirection to then receive it back with the SAMLResponse later.