jazzyj123
commented
1 year ago I also have this problem too with Aruba ClearPass. It complains that it is missing the relay state.
Closed cfoellmann closed 1 year ago
jazzyj123
commented
1 year ago I also have this problem too with Aruba ClearPass. It complains that it is missing the relay state.
BeryJu
commented
1 year ago RelayState is a value that the Service Provider (i.e. not authentik in this case) passes to the IDP (in this case authentik)
The one condition in which authentik sets the RelayState is using the IdP initiated login, which not all service providers support. I'm assuming for both of your setups, this error comes up when clicking on the application in authentik? You can also identify an IdP initiated login by the URL ending in sso/binding/init/
jazzyj123
commented
1 year ago For me it is a SP initiated login, but even if I log into authentik first and then log into the application I still get the same error. Other SAML works fine but this one doesn’t seem to work. I believe the URL you provided would of been what I used.
BeryJu
commented
1 year ago Are you using a SAML Post or Redirect binding? For the redirect binding, can you post the server logs? Alternatively you can install https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en which will show the SAML requests
jazzyj123
commented
1 year ago It is a SAML Post. I will spin it back up and paste the output back in here. Appreciated.
cfoellmann
commented
1 year ago I will test again too. And will post more detailed rundown of my testing with buddy -> saml
cfoellmann
commented
1 year ago I did update to 2022.11.1 and just wanted to give a more detailed rundown of my problem.
I still get the SSO provider error: Missing RelayState from your IdP provider error from buddy.
It is a little harder to debug/get debug info because buddy.works opens a popup window when testing the SAML connection.
https://buddy.works/docs/account/sso/saml-sso
cfoellmann
commented
1 year ago The RelayState needs to be returned back to the SP without modification.
SEE https://stackoverflow.com/a/34351756/4610734
is there any way (Property Mapping) to implement that? For you devs it might be easy as pie but for me as a non-typescript guy it looks to be a big task
Any input? maybe that should be in the SAML provider itself? otherwise in the docs.
BeryJu
commented
1 year ago Yes, this is what authentik currently does, the RelayState is saved with the incoming SAML request, and then included in the GET/POST response
cfoellmann
commented
1 year ago I am not sure with what version of Authentik this was "fixed" but it now works without a trouble. The same settings I tried with the older version
I am trying to configure SSO via SAML to the CI/CD Service https://buddy.works
Docs for buddy: https://buddy.works/docs/account/sso/saml-sso
Connecting SSO via SAML to our authentik
buddy ERROR is: SSO provider error: Missing RelayState from your IdP provider
Is there any way that authentik does NOT send RelayState back to the initiating application?
Can I configure that somewhere?
Version and Deployment (please complete the following information):