Loading
Salesforce から送信されるメールは、承認済ドメインからのみとなります続きを読む

Relaystate parameter is returned as NULL from IDP

公開日: Jun 26, 2023
説明
The user makes a request to Force.com for a specific resource: This request may happen in a variety of ways for a variety of reasons. For example, the user may be following a bookmark, clicking on a link from an email, of allowing their browser to auto-complete.
Force.com detects the user needs to authenticate and redirects the user to their SAML Identity Provider: Since the user doesn't present a session cookie, they need to authenticate. An organization-specific hostname allows the user's Org to be discovered, and they are sent over the SAML protocol. Along with a SAML Request, a form parameter called RelayState is passed along to the IDP. This captures the location of the resource the user originally requested.
If you are using SAML 2.0, RelayState parameter controls where users get redirected after a successful login.

Issue: If the RelayState returned from IDP is NULL in SAML response, user is landed in the Home page by default.
 
解決策
  • Verify SAML request & response to check if there RelayState param is not NULL. You can use Fiddler logs or SAML tracer(Firefox Plugin) to check this.

Example Request sent to IDP:
RequestBinding: HTTPPost
PartnerId: https://demoorg.na2.force.com/login
so: 00Dx0000000XXXX
POST
RelayState: /00O/0

Example Response returned from IDP:
GET
so: 00Dx0000000YYYY
POST
RelayState: /00O/0
 
Posthttps://xxxxxxx.mysalesforce.com/idp/login?xxxxxxxxxSAML
Posthttps://xxxxxxx.my.salesforce.com/?so=xxxxxxxxxSAML
In the above example, "/00O/ is the object key prefix to reports. After successful sign on, user is automatically redirected to Reports tab in salesforce.

Note: Salesforce does a POST request, so check your IDP url that is provided by your IDP is not doing a GET request. Else, Relaystate param will be returned as NULL.
 
  • If the RelayState is returned as NULL, one option that can be considered to resolve the issue is to change the value of Service Provider Initiated Request Binding from HTTP Post to HTTP Redirect in the single sign-on settings and then change the identity provider login URL accordingly.

Here is an example scenario:
Consider a user has received an email with a link to the opportunity record. If the user is not logged in to the org, clicking on the link redirects the user to the Salesforce/ SSO login screen depending on the org's login settings. After successful authentication using SSO, the user is expected to redirect to the opportunity record. However, if the relay state is NULL, the user is redirected to the home screen. Updating the settings of SSO as described above can help to resolve this issue and the user can be redirected to the corresponding opportunity record.

Developer Doc: Implementing Single Sign-On Across Multiple Organizations

 
ナレッジ記事番号

000388029

 
読み込み中
Salesforce Help | Article