Default Relay State for SAML IDP-Initiated Login

[mattzell]

I am attempting to use SAML IDP-Initiated login (from Authentik User Interface page to Service Provider) to log into an application that requires a Relay State be set as a query param on the login.

The software that I am trying to authenticate using SAML is called Shellngn https://www.shellngn.com/ . Their support indicated that we'll need to set a default relay_state to be sent along with the POST request that is sent to the ACS url of Shellngn. The default value that is required is {"organizationId":1} . They provided a screenshot of where this configuration exists in Okta.

Currently when getting to the POST step in the authentication process we are getting a 500 error in response from Shellngn and we believe the absence of this relay_state to be the cause of this error. Is there any way to set this in authentik for IDP-initiated logins?

• authentik version: 2023.6.1
• Deployment: Docker Compose

[BeryJu]

Ah interesting, that makes sense to be configurable

[mist0706]

I to am suffering from the exact issue. The shellngn server simply responds with the following:
{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred"}
Is there any workaround?

[mattzell]

To my understanding it needs to come from the post request that originates from Authentik. I believe this is why it was tagged as an enhancement.

If you would like to enter directly from the Authentik User page, currently the workaround is to change the application URL to just the shellngn install main page and click "Company Login (SSO)"

[mist0706]

To my understanding it needs to come from the post request that originates from Authentik. I believe this is why it was tagged as an enhancement.

If you would like to enter directly from the Authentik User page, currently the workaround is to change the application URL to just the shellngn install main page and click "Company Login (SSO)"

Can you show what fields need to be changed with screenshots? I tried to just remove the "saml/assert" section from the ACS url but then it just says "Not found"

[mattzell]

Inside shellngn SSO settings, make sure shellngn URL is properly set.

Make note of the Assertion Consumer URL and Entity Id

Inside the SAML provider inside Authentik you need the following:

• ACS URL - This is the Assertion Consumer URL from shellngn
• Issuer - This is the Entity Id from shellngn
• Service Provider Binding - Post

Advanced protocol settings:

• Signing Certificate - Choose a certificate you would like to use or use Authentik Self-signed Certificate
• NameID Property Mapping - This is what the name will be inside of shellngn, for my usage I chose authentik default SAML Mapping: Email this is up to you
• Save

On Authentik Download the Signing Certificate from the SAML provider page.
Make note of the SSO URL (Redirect) and SLO URL (Redirect)

Go back to shellngn SSO options

• IdP Login url - SSO URL (Redirect) from Authentik SAML provider page
• IdP Logout URL - SLO URL (Redirect) from Authentik SAML provider page
• Upload the certificate you downloaded from the Authentik SAML provider page
• Enable

As long as the Authentik SAML provider is assigned to an application you should be able to initiate SSO from the shellngn login page (not the Authentik user interface)

Logging in from the shellngn login page is SP-initiated (service provider) SSO, that is not what this issue is referencing.

Logging in from the Authentik User Interface page is IdP-initiated (Identity Provider) SSO, which is what this issue is in regard to. If you click on your application within the Authentik User Interface and not on the shellngn login page this method will still not work for you.

Hope this clears things up.

[benedikt-bartscher]

This is also required for RingCentral