Pass in a non-empty RelayState for user interactive authentication with SAML #7552
Conversation
clokep
force-pushed
the
clokep/saml-relaystate
branch
from
e9390d1 to
f4b450b
Compare
clokep
force-pushed
the
clokep/saml-relaystate
branch
from
7925d46 to
91cece8
Compare
clokep
force-pushed
the
clokep/saml-relaystate
branch
from
91cece8 to
7219696
Compare
|
I debated about whether this should be inside of the |
| # Some SAML identity providers (e.g. Google) require a | ||
| # RelayState parameter on requests. It is not necessary here, so | ||
| # pass in a dummy redirect URL (which will never get used). | ||
| client_redirect_url = b"unused" |
There was a problem hiding this comment.
Does google do anything with this? Or is it just echoed back? I'm mainly just checking that this isn't ever user visible or used in a way that will cause things to break if its not a URL
There was a problem hiding this comment.
I believe it is just echoed back, a common use seems to be for the "url you want to end up at after login", many examples (e.g. Auth0, Okta docs) use both absolute and relative URLs (things like https://my-site.com/the/resource/you/want as well as just /the/resource/you/want). I do not believe this is usually shown to the user during login in anyway.
To repeat some of #7484, it seems that some SAML identity providers (e.g. Google) require that a
RelayStateparameter is passed in, even though it is optional. We do not use a relay state for UI auth, but can provide a dummy one in that case.Fixes #7484