SP initiated sso redirecting to main page instead of the redirect URL that is in the configuration

Deepthi 31 Reputation points
2021-08-13T03:51:34.21+00:00

One of our clients setup SAML SSO using Azure as their Identity provider. The SSO connection was successful, however the SP initiated login doesn't redirect the user to the correct URL that was setup under relay state URL. And the redirect works properly via IdP initiated SSO.

For example:

If we set a relay state URL as https://learn.microsoft.com/en-us/answers/questions/ask.html

For IdP initiated login: It redirects the user to the exact page
For SP initiated SSO: It takes them to home page "https://learn.microsoft.com/en-us" instead of the Q&A page.

Kindly share your insights on this.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,539 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,671 Reputation points
    2021-08-18T18:59:57.11+00:00

    Hello @Deepthi ,

    Sorry for delayed response.

    For proper ReplyURL honoring in an SP-initiated flow, AssertionConsumerServiceUrl parameter needs to be present in AuthnRequest which is generated by application or else any Reply Address configured in Azure AD can be selected for user redirection.

    You can verify this by collecting SAML-tracer and look at AssertionConsumerServiceURL parameter from "AuthnRequest" to see if application insist AzureAD to specific redirect URL in SP initiated flow?

    For an example If AssertionConsumerServiceURL="https://learn.microsoft.com/en-us" set by application in AuthnRequest and you have multiple redirectURL configured in AzureAD then this case AzureAD always redirect users to specifc URL provided in AuthnRequest. Hope this helps.

    124413-image.png

    Reference: https://learn.microsoft.com/azure/active-directory/develop/single-sign-on-saml-protocol

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.