Highlighted
ratclma Absent Member.
Absent Member.
913 views

Configuring relay state in a SP-initiated scenario


Hi,
NAM documentation seems sparse on Relay State so I need to know how I
would configure our NAM IDP Intersite Transfer for use with an external
SP.
The Partner has given us an example Login URL which looks to be an
example from an ADFS setup:
https://url.<clientname>.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fpath%252FWelcomePage%26RelayState%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fpath%252FWelcomePage

The destination url is
https://<clientnametest.<partner>.com/path/WelcomePage

Am I right in thinking NAM doesn't use RelayState and instead uses
TARGET?
as our Identity Server url is https://login.qa.eu.<clientname>.biz would
we configure our Intersite transfer as:
TARGET=%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fefm%252FWelcomePage%26TARGET%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fefm%252FWelcomePage
so that our Login URL would be:
https://login.qa.eu.<clientname>.biz/nidp/saml2/idpsend?id=<partner
Intersite Transfer Service
ID>&TARGET%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fpath%252FWelcomePage
Or am I on the wrong track here?

Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55966

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Configuring relay state in a SP-initiated scenario

ratclma wrote:

>
> Hi,
> NAM documentation seems sparse on Relay State so I need to know how I
> would configure our NAM IDP Intersite Transfer for use with an
> external SP.
> The Partner has given us an example Login URL which looks to be an
> example from an ADFS setup:
> https://url.<clientname>.com/adfs/ls/idpinitiatedsignon.aspx?RelayStat
> e=RPID%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fpath%2
> 52FWelcomePage%26RelayState%3Dhttps%253A%252F%252F<clientname>test.<pa
> rtner>.com%252Fpath%252FWelcomePage
>
> The destination url is
> https://<clientnametest.<partner>.com/path/WelcomePage
>
> Am I right in thinking NAM doesn't use RelayState and instead uses
> TARGET?
> as our Identity Server url is https://login.qa.eu.<clientname>.biz
> would we configure our Intersite transfer as:
> TARGET=%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fefm%2
> 52FWelcomePage%26TARGET%3Dhttps%253A%252F%252F<clientname>test.<partne
> r>.com%252Fefm%252FWelcomePage so that our Login URL would be:
> https://login.qa.eu.<clientname>.biz/nidp/saml2/idpsend?id=<partner
> Intersite Transfer Service
> ID>&TARGET%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fpa
> th%252FWelcomePage Or am I on the wrong track here?
>
> Thanks
> Mark


When using SP Initiated login its the responsibility of the SP to
provide a relaystate. If they don't provide one then NAM won't set one
either.

When using IDP initiated logins then the value of TARGET will be set as
the RelayState.

--
Cheers,
Edward
0 Likes
ratclma Absent Member.
Absent Member.

Re: Configuring relay state in a SP-initiated scenario


Edward van der Maas;268368 Wrote:
> ratclma wrote:
>
> >
> > Hi,
> > NAM documentation seems sparse on Relay State so I need to know how I
> > would configure our NAM IDP Intersite Transfer for use with an
> > external SP.
> > The Partner has given us an example Login URL which looks to be an
> > example from an ADFS setup:
> >

> https://url.<clientname>.com/adfs/ls/idpinitiatedsignon.aspx?RelayStat
> >

> e=RPID%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fpath%2
> >

> 52FWelcomePage%26RelayState%3Dhttps%253A%252F%252F<clientname>test.<pa
> > rtner>.com%252Fpath%252FWelcomePage
> >
> > The destination url is
> > https://<clientnametest.<partner>.com/path/WelcomePage
> >
> > Am I right in thinking NAM doesn't use RelayState and instead uses
> > TARGET?
> > as our Identity Server url is https://login.qa.eu.<clientname>.biz
> > would we configure our Intersite transfer as:
> >

> TARGET=%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fefm%2
> >

> 52FWelcomePage%26TARGET%3Dhttps%253A%252F%252F<clientname>test.<partne
> > r>.com%252Fefm%252FWelcomePage so that our Login URL would be:
> > https://login.qa.eu.<clientname>.biz/nidp/saml2/idpsend?id=<partner
> > Intersite Transfer Service
> >

> ID>&TARGET%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fpa
> > th%252FWelcomePage Or am I on the wrong track here?
> >
> > Thanks
> > Mark

>
> When using SP Initiated login its the responsibility of the SP to
> provide a relaystate. If they don't provide one then NAM won't set one
> either.
>
> When using IDP initiated logins then the value of TARGET will be set as
> the RelayState.
>
> --
> Cheers,
> Edward


Apologies Edward, this is IDP-initiated, don't know why I thought it
wasn't.:o
Anyway is this correct for IDP initiated based on the ADFS example the
partner company gave us:

https://login.qa.eu.<clientname>.biz/nidp/saml2/idpsend?PID=https://<clientname>test.<partner>.com/path/WelcomePage&TARGET=https://<clientname>test.<partner>.com/path/WelcomePage
where <clientname> is our company name and <partner> is the partner's
company name.

Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55966

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuring relay state in a SP-initiated scenario

ratclma wrote:

>
> Edward van der Maas;268368 Wrote:
> > ratclma wrote:
> >
> > >
> > > Hi,
> > > NAM documentation seems sparse on Relay State so I need to know
> > > how I would configure our NAM IDP Intersite Transfer for use with
> > > an external SP.
> > > The Partner has given us an example Login URL which looks to be an
> > > example from an ADFS setup:
> > >

> > https://url.<clientname>.com/adfs/ls/idpinitiatedsignon.aspx?RelaySt
> > at
> > >

> > e=RPID%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fpath
> > %2
> > >

> > 52FWelcomePage%26RelayState%3Dhttps%253A%252F%252F<clientname>test.<
> > pa
> > > rtner>.com%252Fpath%252FWelcomePage
> > >
> > > The destination url is
> > > https://<clientnametest.<partner>.com/path/WelcomePage
> > >
> > > Am I right in thinking NAM doesn't use RelayState and instead uses
> > > TARGET?
> > > as our Identity Server url is https://login.qa.eu.<clientname>.biz
> > > would we configure our Intersite transfer as:
> > >

> > TARGET=%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252Fefm
> > %2
> > >

> > 52FWelcomePage%26TARGET%3Dhttps%253A%252F%252F<clientname>test.<part
> > ne
> > > r>.com%252Fefm%252FWelcomePage so that our Login URL would be:
> > > https://login.qa.eu.<clientname>.biz/nidp/saml2/idpsend?id=<partne
> > > r Intersite Transfer Service
> > >

> > ID>&TARGET%3Dhttps%253A%252F%252F<clientname>test.<partner>.com%252F
> > pa
> > > th%252FWelcomePage Or am I on the wrong track here?
> > >
> > > Thanks
> > > Mark

> >
> > When using SP Initiated login its the responsibility of the SP to
> > provide a relaystate. If they don't provide one then NAM won't set
> > one either.
> >
> > When using IDP initiated logins then the value of TARGET will be
> > set as the RelayState.
> >
> > --
> > Cheers,
> > Edward

>
> Apologies Edward, this is IDP-initiated, don't know why I thought it
> wasn't.:o
> Anyway is this correct for IDP initiated based on the ADFS example the
> partner company gave us:
>
> https://login.qa.eu.<clientname>.biz/nidp/saml2/idpsend?PID=https://<c
> lientname>test.<partner>.com/path/WelcomePage&TARGET=https://<clientna
> me>test.<partner>.com/path/WelcomePage where <clientname> is our
> company name and <partner> is the partner's company name.


Did you tick 'allow any target' on the service provider config? I can't
recall what the tab is called but its the 3rd one from memory.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuring relay state in a SP-initiated scenario

Edward van der Maas wrote:


> Did you tick 'allow any target' on the service provider config? I
> can't recall what the tab is called but its the 3rd one from memory.


Its the 'Intersite Transfer Service' tab

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.