Tagged: IDP initiated federation
May 19, 2019 at 10:08 pm #25822
With idp initiated federation, my application need to pass external parameter to vendor site in addition of RelayState and saml assertion.
How to customize forgerock to allow additional parameters sent to vendor after idp initiated sso successful?
For example: I need to post MyOtherAcitivities=AAAAAAA to vendor
Thanks in advance.
MeiMay 20, 2019 at 6:27 pm #25830KavithakParticipant
Have you tried this below,
&RelayState=XYZ%26MyOtherActivities=AAAAAAAMay 21, 2019 at 5:36 pm #25838
Thanks for the quick response, Kavithak! It looks like forgerock IDPinitedsso only pass over RelayState and SAMLResponse after authentication, the extra query string got lost after authentication. We have old system. and need to send MyOtherActivities=AAAAAAA separated from RelayState. Is there a way to customize ForgeRock to carry over extra query string?
MeiMay 22, 2019 at 11:50 pm #25839grkParticipant
@mei-liusaa-com Is this additional parameter value static? IDPInitSSO URL does not support any additional query parameters.
I see only below 3 options to pass a value to SP.
1. Pass in SAML Response. If this value is a static value, you can set that static value in attribute mapping as MyOtherActivities=”AAAAAAA”. SP will get it from SAML response.
2. If the value you are passing for RelayState is a URL and the application is expecting this query parameter, append it to RelayState URL itself. Probably you have to URL encode RelayState value.
3. If service provider is expecting this value, append it to SP Assertion Consumer(ACS) URL.
Ravikumar GeejulaMay 23, 2019 at 6:07 am #25843
I’m at #3 use case. Here is the browser trace log:
#1 start with idp inited request with additional query string OtherActivities
#2 External authentication to create fr session:
# after forgeorock session was created.
#4 post request to SP ASC
Form data contains two parameters only: SAMLResponse and RelayState.
MyOtherActivities=AAAAAAA was dropped at #4. This is the problem. I’m looking for which ForgeRock Adaptor class allow me customize and add MyOtherActivities to #4 request.
Thanks for the help.
May 24, 2019 at 12:32 am #25848grkParticipant
- This reply was modified 3 weeks, 5 days ago by email@example.com.
for #3, you need to append your query parameter to ACS URL as below.
I think it is better if you get this ACS URL from SP so that it will match both sides and it will not fail in SP initiated SSO
You must be logged in to reply to this topic.