Skip to content

Use Advanced Parameters in Authentication Requests

This page guides you through sending SAML parameters with the SAML authentication request.


RelayState

The RelayState parameter is used so that an application can pass some value to the identity provider along with the authentication request and get the same value back with the Response. This value can be any string and can be useful for the application logic (e.g., when there is a failure, redirecting to the URL that comes as the RelayState parameter is one way that this can be used).

  • For an inbound request to WSO2 Identity Server, if the RelayState parameter is present, WSO2 IS sends back the same value in the response.

  • For federation using SAML2, WSO2 Identity Server uses the RelayState parameter to pass the session index, which is required to continue the authentication flow after receiving authentication response.

You can use the RelayState parameter as follows.

https://localhost:9443/samlsso?spEntityID=foo.com&RelayState=http://localhost:8080/foo.com/my-home.jsp

This request will authenticate and redirect the user to the URL in the RelayState parameter itself.


IsPassive

The IsPassive parameter is used to indicate to the identity provider whether WSO2 Identity Server should authenticate the user without any user interaction. This is done using the session cookie if the user has already been authenticated and a valid session cookie already exists. If this parameter is set to true, WSO2 IS authenticates the user using the existing session cookie.

You can use the IsPassive parameter as follows.

https://localhost:9443/samlsso?spEntityID=foo.com&IsPassive=true

forceAuthn

The forceAuthn parameter is used for force authentication. If this parameter is set to true the user will be forced to re-authenticate even if a valid session for that user exists with WSO2 Identity Server already.

https://localhost:9443/samlsso?spEntityID=foo.com&tenantDomain=abc.com&forceAuthn=true

Top