This page describes the redirecting process of the SAML Single Sign On on a Confluence example page.

To follow and reproduce this points, please activate the redirection for your plugin and enable detailed logging for the plugin : Troubleshooting

1 ) Forced redirection to the SAML Single Sign On Servlet

A not authenticated user access a Confluence internal page : https://confluence5911.lab.resolution.de/display/TEST/TESTPAGE

The user will be catched from the plugin and redirected to the SAML Single Sign On Servlet. The original destination page is attached as redirectTo Parameter to the URL : 
https://confluence5911.lab.resolution.de/plugins/servlet/samlsso?redirectTo=%2Fpages%2Fviewpage.action%3FspaceKey%3DTEST%26title%3DTESTPAGE

Debug Log:

DEBUG [http-nio-8443-exec-16] [atlasplugins.samlsso.servlet.RedirectToSsoFilter] doFilter Redirecting to https://confluence5911.lab.resolution.de/plugins/servlet/samlsso?redirectTo=%2Fpages%2Fviewpage.action%3FspaceKey%3DTEST%26title%3DTESTPAGE
DEBUG [http-nio-8443-exec-1] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromClient Original url is /pages/viewpage.action?spaceKey=TEST&title=TESTPAGE

2 ) Redirection to the Identity Provider

The plugin creates the SAML Request and redirecting the user to the Identity Provider.

The destination URL consists of the IdP POST Binding URL + SAMLRequest + RelayState :

http://adfs01.lab.resolution.de:8080?SAMLRequest=pZHBbsIwEER%2FJfKdxAmlohYJQkWVkOgFaA%2B9GduQNPZu6rVRP78GKRKHHir1uPLO7MzzYvntbHYxnjqEmpU5Z5kBhbqDc83eDi%2BTOVs2C5LODmIVQws78xUNhSzpgMTtoWbRg0BJHQmQzpAISuxXr1tR5VwMHgMqtCxbERkf0qFnBIrO%2BL3xl06Zt922Zm0IA4miUAgnG1MGM3sqy9zKY%2B4NoY1XYa5NMdh47oCK5HWxJhTXCETIsnWK1YEMtyZXu%2BQm9Yn4Ly5izuep6mZdM6lVj61yqBGt1W372QOeUVndqwHS0Dp3bG2ftomi2QAFCaFmFS8fJ2U5mfJDORUVFzOe84fqg2XvI85Un43wbmL%2Fd2xyhMWa%2F6JZFPcRmnG8%2F87mBw%3D%3D&RelayState=%2Fpages%2Fviewpage.action%3FspaceKey%3DTEST%26title%3DTESTPAGE

Debug Log:

DEBUG [http-nio-8443-exec-1] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromClient Redirecting to: http://adfs01.lab.resolution.de:8080?SAMLRequest=pZHBbsIwEER%2FJfKdxAmlohYJQkWVkOgFaA%2B9GduQNPZu6rVRP78GKRKHHir1uPLO7MzzYvntbHYxnjqEmpU5Z5kBhbqDc83eDi%2BTOVs2C5LODmIVQws78xUNhSzpgMTtoWbRg0BJHQmQzpAISuxXr1tR5VwMHgMqtCxbERkf0qFnBIrO%2BL3xl06Zt922Zm0IA4miUAgnG1MGM3sqy9zKY%2B4NoY1XYa5NMdh47oCK5HWxJhTXCETIsnWK1YEMtyZXu%2BQm9Yn4Ly5izuep6mZdM6lVj61yqBGt1W372QOeUVndqwHS0Dp3bG2ftomi2QAFCaFmFS8fJ2U5mfJDORUVFzOe84fqg2XvI85Un43wbmL%2Fd2xyhMWa%2F6JZFPcRmnG8%2F87mBw%3D%3D&RelayState=%2Fpages%2Fviewpage.action%3FspaceKey%3DTEST%26title%3DTESTPAGE


3 ) Redirection back to the SAML Single Sign On Servlet

The Identity Provider redirects the users back to the SAML Single Sign On Servlet:

https://confluence5911.lab.resolution.de/plugins/servlet/samlsso

The SAMLResponse from the Identity Provider contains the RelayState Parameter, which you can check in the Debug Log:

DEBUG [http-nio-8443-exec-6] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromIdP RelayState parameter is /pages/viewpage.action?spaceKey=TEST&title=TESTPAGE


4 ) Redirection to the original destination page

After the user authentication in Confluence, the plugin is now using the RelayState, to redirect the user correctly to the original destination page:

https://confluence5911.lab.resolution.de/pages/viewpage.action?spaceKey=TEST&title=TESTPAGE

Debug Log:

DEBUG [http-nio-8443-exec-6] [atlasplugins.samlsso.servlet.SamlSsoServlet] processRequestFromIdP Redirecting to https://confluence5911.lab.resolution.de/pages/viewpage.action?spaceKey=TEST&title=TESTPAGE