SAML RelayState

Document created by Erin Hallmark Administrator on Oct 5, 2018Last modified by cody on Oct 5, 2018
Version 2Show Document
  • View in full screen mode

    Official Canvas Document

Canvas + Logo transparent (WHITE)- 300px.png

 

Canvas, as a SAML ServiceProvider, supports special values for RelayState to allow deep linking into Canvas for IdP initiated logins. An IdP can also modify the RelayState for an SP initiated login if it has outside knowledge of where it wants to send the user upon login, rather than the default (either the user's original destination that triggered the login sequence, or the user's dashboard).

 

In general, this functionality should be used sparingly, as deep links into Canvas can remain as bare Canvas links and rely on Canvas built-in behavior to maintain the original destination in order to not obfuscate links.

 

Examples

School maintained portal does an IdP initiated login, sending directly to a specific course:

POST https://school.instructure.com/login/saml?SAMLResponse=...&RelayState=/courses/1

Redirect; Location: https://school.instructure.com/courses/1

 

Consortium WAYF Service redirecting through the appropriate home account for a user:

GET https://school1.instructure.com/courses/1

Redirect; Location: https://wayf.consortium.edu/login/saml?SAMLRequest=...

<User logs in at WAYF; WAYF injects RelayState based on original referrer, but does an IdP initiated login to the consortium account in Canvas, instead of the original destination of school1>

POST https://consortium.instructure.com/login/saml?SAMLResponse=...&RelayState=https://school1.instructure.com/courses/1

Redirect; Location: https://school1.instructure.com/courses/1?session_token=.

Attachments

    Outcomes