Spring saml - how remember request parameter when initiate login on SP, and procesing them after IdP response

Question

I want remember url request parameter from first request of my site (SP) and use them after response from IdP.

I'm using spring-saml extension and think about relayState attribute but can't find example how build it with parameters from request.

I need that for redirect user after sso authentication process to target page (module of application) depends on what was in first request.

Answer 1

Spring SAML sample application behaves like this out of the box. When user hits a page which is protected by Spring Security and requires authentication system:

• remembers parameters which were used to invoke the page (done automatically inside Spring Security using ExceptionTranslationFilter and HttpSessionRequestCache) by storing the information into the HTTP session
• invokes Spring SAML's entry point (SAMLEntryPoint class) which redirects user to the IDP, possible after IDP selection
• user authenticates at IDP and is redirected back to your application
• Spring SAML verifies the response and invokes AuthenticationSuccessHandler, which (in the sample application) is of type org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler
• the success handler checks whether there's a stored request (put there in the first step) and if so it makes user's browser to open the remembered page with the same set of parameters as initially
• the security check should now pass, provided the authenticated user is authorized to access the page

You could of course implement this using relay state as you intended. The correct way to set relay state is by extending SAMLEntryPoint, overriding method getProfileOptions and returning your desired relay state in the returned WebSSOProfileOptions object.

You can then change the AuthenticationSuccessHandler to org.springframework.security.saml.SAMLRelayStateSuccessHandler which make redirect to the URL returned from the relay state after successful authentication.