Description
When an IdP initiated login is done with a Relay State URL and if there is no valid session already, the SAML response is processed and the user is redirected to the Relay State URL if authentication is successful.
If the user again does an IdP initiated login now with a Relay State URL, since there is a valid session already, the user is redirected to navpage.do and the Relay state is not honored.
Steps to Reproduce
- Get an IdP initiated login URL with a Relay state.
- Open this URL in a new browser window.
- Authentication is done and the user is redirected to the Relay State URL as desired.
- Open the same URL in a new tab.
- Notice that the Relay state is not honored and the user is redirected to the navpage.do page.
Applicable Versions
All versions.
Workaround
The permanent fix to this issue is available in the form of a system property that can be toggled true/false depending on the requirement. If the requirement is to honor the Relay state even when there is already a valid session, you would need to create/enable the below system property.
Navigate to the System properties table (sys_properties.list) and create the below property if it doesn't already exist.
Name: glide.authenticate.honor.relaystate.for.loggedin.sessions
Type: true|false
Value: true