IdP Initiated / SAML SSO to O365 as SP - RelayState Seems to be Ignored

Question

Background

We are trying to use IdP initiated SSO from non-Microsoft IdP to AAD via federated domain. SSO is working very well, so no issues with getting SSO configured. Both SP and IdP initiated work well, but for some reason, having added RelayState to the SAML assertion on the IdP initiated flow, while SSO works, it never seems to honor the RelayState target URL (which is a SharePoint Online URL).

Goal

Authenticated with IdP Already ->

IdP Initiated SSO Url with RelayState of something inside of SharePoint (URL encoded) ->

IdP POST SAML to https://login.microsoftonline.com/login.srf (I've confirmed this contains RelayState) ->

AAD sends to RelayState URL

Actual Results

Last route sends to office.com and not the RelayState URL

Questions

1. Is there something I'm possibly missing?
2. Does Microsoft even support RelayState for 3rd Party IdP-initiated login flow?

Answer 1

Hi @Eric Hendrickson ,

Thanks for reaching out.

In Azure AD, the relay state is static and instructs the application where to redirect users after authentication is completed.

However, relay state in SP initiated flow is meant to be used as an identifier which is sent along with the SAML request to the STS and passed back to the SP without any modification or inspection, in this case it can be dynamic.

To support multiple/Dynamic RelayState URLs, your app must use SP-initiated SSO, and send the RelayState as a parameter in the SAML request as shown below, so that Azure AD can return the same information in the SAML Response.

I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.