SAML RelayState

Official Canvas Document

Canvas, as a SAML ServiceProvider, supports special values for RelayState to allow deep linking into Canvas for IdP initiated logins. An IdP can also modify the RelayState for an SP initiated login if it has outside knowledge of where it wants to send the user upon login, rather than the default (either the user's original destination that triggered the login sequence, or the user's dashboard).

In general, this functionality should be used sparingly, as deep links into Canvas can remain as bare Canvas links and rely on Canvas built-in behavior to maintain the original destination in order to not obfuscate links.

Examples

School maintained portal does an IdP initiated login, sending directly to a specific course:

POST <A href="https://school.instructure.com/login/saml?SAMLResponse=...&RelayState=/courses/1" target="test_blank" rel="nofollow noopener noreferrer">https://school.instructure.com/login/saml?SAMLResponse=...&RelayState=/courses/1</A><BR /><BR />Redirect; Location: <A href="https://school.instructure.com/courses/1‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍" target="test_blank" rel="nofollow noopener noreferrer">https://school.instructure.com/courses/1‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍</A><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN>

Consortium WAYF Service redirecting through the appropriate home account for a user:

GET <A href="https://school1.instructure.com/courses/1" target="test_blank" rel="nofollow noopener noreferrer">https://school1.instructure.com/courses/1</A><BR /><BR />Redirect; Location: <A href="https://wayf.consortium.edu/login/saml?SAMLRequest=" target="test_blank" rel="nofollow noopener noreferrer">https://wayf.consortium.edu/login/saml?SAMLRequest=</A>.<BR /><BR /><User logs in at WAYF; WAYF injects RelayState based on original referrer, but does an IdP initiated login to the consortium account in Canvas, instead of the original destination of school1><BR /><BR />POST <A href="https://consortium.instructure.com/login/saml?SAMLResponse=...&RelayState=https://school1.instructure.com/courses/1" target="test_blank" rel="nofollow noopener noreferrer">https://consortium.instructure.com/login/saml?SAMLResponse=...&RelayState=https://school1.instructure.com/courses/1</A><BR /><BR />Redirect; Location: <A href="https://school1.instructure.com/courses/1?session_token=.‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍" target="test_blank" rel="nofollow noopener noreferrer">https://school1.instructure.com/courses/1?session_token=.‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍</A><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN>

Example SAML Login Flow

Example SAML Login Flow WAYF | RelayState.png

Find more posts tagged with

Admin

Comments

PhillipJacobs

Hi Erin,
Do you have an example of this flow when there is multiple authentication providers setup in Canvas?
Thank you,
-Phil

IanGoh

Hi Phil (or Erin)

Did you ever get this to work? We're interested but can't find any documentation.

Ian

IanGoh

Unfortunately, it looks like Erin's no longer with Instructure.