Spring SAML sample example behaves the same as out of the box. When a user clicks on a page that is protected by Spring Security and requires an authentication system:
- remembers the parameters that were used to invoke the page (performed automatically within Spring Security using
ExceptionTranslationFilter and HttpSessionRequestCache ) by storing information in an HTTP session - calls Spring SAML entry point (
SAMLEntryPoint class), which redirects the user to IDP, possibly after selecting IDP - the user authenticates with IDP and is redirected back to your application.
- Spring SAML checks the response and calls AuthenticationSuccessHandler, which (in the sample application) is of type
org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler - the success handler checks if there is a saved request (placed on the first step), and if this allows the user's browser to open the page with the same set of parameters as the original
- a security check should now pass if the authenticated user has access to the page
Of course, you can implement this using the state of the relay as you planned. The correct way to set relay status is to extend SAMLEntryPoint , override the getProfileOptions method getProfileOptions and return the desired relay state in the returned WebSSOProfileOptions object.
You can then change the AuthenticationSuccessHandler to org.springframework.security.saml.SAMLRelayStateSuccessHandler , which redirect the URL returned from the relay state after successful authentication.