How to send current URL as relay state while sending authentication request to IDP

Question

While implementing SAML based authentication for one of our applications, i came across a requirement where we need to restore the user's session after authentication by IdP (Identity Provider). Consider the following scenario -

1. User tries to open page 1
2. since page 1 requires authentication, we redirect the user to IDP
3. IDP authenticates and redirects user back to SP (Service Provider).

Unfortunately, after authentication the user ends up on the default home page instead of page 1. As per the documentation, we can use relayState to relay information from SP to IdP (during authentication request) and back from IdP to SP.

It looks like WebSSOProfileOptions allows us to specify the relayState value, but in this case the value will not be fixed or static.

How can we pass the current page's URL to relay state so that we can get back the same after authentication and redirect the user back to the same page?

Answer 1

Resolution:
The official link of Class WebSSOProfileOptions demonstrates the function which sends a custom value in the relayState variable, that is, void setRelayState(String relayState).
A coding example for sending current URL as relay state while sending authentication request to IDP

@Bean
 public SAMLEntryPoint samlEntryPoint() {
     SAMLEntryPoint entryPoint = new SAMLEntryPoint();
     entryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
     return entryPoint;
 }
@Bean
 public WebSSOProfileOptions defaultWebSSOProfileOptions() {
     WebSSOProfileOptions options = new WebSSOProfileOptions();
     options .setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
     options.setRelayState(current-SP-URL);
     return options;
 }

Remarks:
(1) Quote your post "It looks like WebSSOProfileOptions allows us to specify the relayState value, but in this case the value will not be fixed or static."

Response:
Yes. The answer to Why SP-initiated SSO has RelayState as random opaque value claims that the RelayState in SP-initiated SSO is typically not a URL. Instead of that, it is an opaque string which gets echoed back by the IDP.
This means that "the value will not be fixed or static".

(2) Quote your question "How can we pass the current page's URL to relay state so that we can get back the same after authentication and redirect the user back to the same page?"

Answer:
The answer to Why SP-initiated SSO has RelayState as random opaque value claims that Based on above description from the specification, the RelayState is just a pointer that the Service Provider will use to find out the final TARGET (an URL). If a SP were to send an URL across to the IDP using the RelayState, it defeats the security model.
This means that we can NOT "pass the current page's URL to RelayState", otherwise, it will defeat the security model established by SAML.
This is why Spring SAML requires that the RelayState value generated by SP-initiated SSO will not be fixed or static, that is, "after authentication the user ends up on the default home page instead of page 1.".

(3) Other information
(I) For SP-initiated SSO, the RelayState value should an opaque string.
(II) For IdP-initiated SSO, the relayState value can be what URL the SP should redirect to. This is de facto standard used for RelayState, as demonstrated by the answer to another StackOveflow question "What is exactly RelayState parameter used in SSO (Ex. SAML)?".
(III) You can NOT "send current URL as relay state while sending authentication request to IDP", otherwise, it will defeat the security model established by SAML, as demonstrated by the answer to Why SP-initiated SSO has RelayState as random opaque value.