Invalid relayState in Cognito

"Is there documentation on what the format for a valid relayState would be in Cognito?"

• No, we don't have a published format for this but this can be decoded from network requests. Cognito relay states consist of a JSON object with userpool details with a signature appended to it.

"I cannot seem to properly format a relayState that Cognito will accept, and can find no documentation on the subject. The standard RelayState format used as specified in other places (e.g. https://jackstromberg.com/adfs-relay-state-generator/) causes Cognito to throw an invalid relayState message."

• This is expected. Even if a valid JSON relayState can be created from available information, the signature part can't be generated. So, in short, you can't generate relayState and use IdP-Initiated SSO.

"The set up is to use ADFS as a SAML identity provider and to enable logoff flow. I then log in via my app, and go to the ADFS screen to log out. Initially it threw a missing relayState, but I fixed that by placing a RelayState query parameter in ADFS for my logout path. It recognizes that I added the parameter, but apparently cannot parse it (thus throwing an invalid relayState)."

• The logout request needs to be generated from Cognito. Select 'Enable IdP sign out flow' while creating SAML provider in userpool if you want your user to be logged out from the SAML IdP when logging out from Amazon Cognito. Enabling this flow sends a signed logout request to the SAML IdP with a valid relay state when the LOGOUT Endpoint is called:
  https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
  https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

The logout request needs to be generated from Cognito. ... Enabling this flow sends a signed logout request to the SAML IdP with a valid relay state when the LOGOUT Endpoint is called.

Yes - that is working. I have "Enable IdP Signout Flow" checked, and when logging in and out from my application I can get proper login and logout from ADFS. However, when I attempt to log in (or log out) of my application from the ADFS screens (a process we call IDP signin) it doesn't work correctly. It doesn't work because Cognito is looking for a relay state parameter which I can't provide it. There is a place in ADFS where I can place an encoded relayState parameter to enable this functionality, but I can't formulate a correct one.

So, in short, you can't generate relayState and use IdP-Initiated SSO

That's my problem, I guess. That's too bad. Is there a desire sometime in future to allow for this?

Edited by: RaviSDesai on Jun 2, 2020 12:23 PM

Please add my +1 for IdP-initiated SSO.

Our use case: We're providing an application to enterprise customers, and have heard the question on how to integrate our app into the enterprise application directory through IdP-initiated SSO every time. Right now our answer to this is to configure the application directory to link to our application directly, and have that trigger SP-initiated sign-in. This works, but is obviously not what the enterprise IT departments expect.

Edited by: ankon on Mar 25, 2021 4:56 PM

+1

+1

Both logoutUrl and callbackUrls are available in the escape hatch of the user pool client (CDK .net).

The documentation says that if logouturl is specified in the UserPool stack then the Relay State is not required (this is specific to Azure AD Idp) but even after using the escape hatch to specify the URLs for the UserPoolClient, the Azure AD app client throws a Relay State parameter required error or Invalid Relay State from Identity Provider error.

It seems like a grey area.

Can someone help by shedding some light on this?

+1 has there been any change in that feature, or lack thereof?