IdP Initiated / SAML SSO to O365 as SP - RelayState Seems to be Ignored

Eric Hendrickson 5 Reputation points
2023-03-02T11:36:43.37+00:00

Background

We are trying to use IdP initiated SSO from non-Microsoft IdP to AAD via federated domain. SSO is working very well, so no issues with getting SSO configured. Both SP and IdP initiated work well, but for some reason, having added RelayState to the SAML assertion on the IdP initiated flow, while SSO works, it never seems to honor the RelayState target URL (which is a SharePoint Online URL).

Goal

Authenticated with IdP Already ->

IdP Initiated SSO Url with RelayState of something inside of SharePoint (URL encoded) ->

IdP POST SAML to https://login.microsoftonline.com/login.srf (I've confirmed this contains RelayState) ->

AAD sends to RelayState URL

Actual Results

Last route sends to office.com and not the RelayState URL

Questions

  1. Is there something I'm possibly missing?
  2. Does Microsoft even support RelayState for 3rd Party IdP-initiated login flow?
Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,699 questions
SharePoint
SharePoint
A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.
9,520 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,299 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 27,051 Reputation points Microsoft Employee
    2023-03-07T08:33:19.3133333+00:00

    Hi @Eric Hendrickson ,

    Thanks for reaching out.

    In Azure AD, the relay state is static and instructs the application where to redirect users after authentication is completed.

    However, relay state in SP initiated flow is meant to be used as an identifier which is sent along with the SAML request to the STS and passed back to the SP without any modification or inspection, in this case it can be dynamic.

    To support multiple/Dynamic RelayState URLs, your app must use SP-initiated SSO, and send the RelayState as a parameter in the SAML request as shown below, so that Azure AD can return the same information in the SAML Response.

    I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.