relay state

docbook/reference/en/en-US/modules/saml.xml

@@ -193,5 +193,8 @@
             go to the client page in the admin console of the client you want to set this up for.  Specify the <literal>IDP Initiated SSO URL Name</literal>.  This is a simple string
             with no whitespace in it.  After this you can reference your client at the following URL:  <literal>root/auth/realms/{realm}/protocol/saml/clients/{url-name}</literal>
         </para>
+        <para>
+            If your client requires a special relay state, you can also configure this in the admin console.
+        </para>
     </section>
 </chapter>

forms/common-themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html

@@ -211,6 +211,13 @@
                 </div>
                 <kc-tooltip>URL fragment name to reference client when you want to do IDP Initiated SSO.  Leaving this empty will disable IDP Initiated SSO.  The URL you will reference from your browser will be: {server-root}/realms/{realm}/protocol/saml/clients/{client-url-name}</kc-tooltip>
             </div>
+            <div class="form-group clearfix block" data-ng-show="protocol == 'saml'">
+                <label class="col-md-2 control-label" for="idpInitiatedRelayState">IDP Initiated SSO Relay State</label>
+                <div class="col-sm-6">
+                    <input ng-model="client.attributes.saml_idp_initiated_sso_relay_state" class="form-control" type="text" name="idpInitiatedRelayState" id="idpInitiatedRelayState" />
+                </div>
+                <kc-tooltip>Relay state you want to send with SAML request when you want to do IDP Initiated SSO.</kc-tooltip>
+            </div>
             <div class="form-group" data-ng-show="!client.bearerOnly && !create && protocol == 'openid-connect'">
                 <label class="col-md-2 control-label" for="newWebOrigin">Web Origins</label>
 

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java

@@ -59,7 +59,6 @@ import java.util.UUID;
  * @version $Revision: 1 $
  */
 public class SamlProtocol implements LoginProtocol {
-    public static final String SAML_IDP_INITIATED_SSO_URL_NAME = "saml_idp_initiated_sso_url_name";
     protected static final Logger logger = Logger.getLogger(SamlProtocol.class);
 
 
@@ -95,6 +94,8 @@ public class SamlProtocol implements LoginProtocol {
     public static final String SAML_NAME_ID_FORMAT = "SAML_NAME_ID_FORMAT";
     public static final String SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();
     public static final String SAML_PERSISTENT_NAME_ID_FOR = "saml.persistent.name.id.for";
+    public static final String SAML_IDP_INITIATED_SSO_RELAY_STATE = "saml_idp_initiated_sso_relay_state";
+    public static final String SAML_IDP_INITIATED_SSO_URL_NAME = "saml_idp_initiated_sso_url_name";
 
     protected KeycloakSession session;
 

saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java

@@ -609,6 +609,11 @@ public class SamlService {
         clientSession.setNote(SamlProtocol.SAML_IDP_INITIATED_LOGIN, "true");
         clientSession.setRedirectUri(redirect);
 
+        String relayState = client.getAttribute(SamlProtocol.SAML_IDP_INITIATED_SSO_RELAY_STATE);
+        if (relayState != null && !relayState.trim().equals("")) {
+            clientSession.setNote(GeneralConstants.RELAY_STATE, relayState);
+        }
+
 
         return newBrowserAuthentication(clientSession);