Possible to add custom relay state in SAML login requests?

[reuzel]

passport-saml/src/strategy.ts

Lines 193 to 194 in 72effd8

	const RelayState =
	(req.query && req.query.RelayState) || (req.body && req.body.RelayState);

pulls the relay-state from the request, while it is actually formulating a request towards the SAML IdP.

Two questions:

• Would it be not more opportune to either omit, or otherwise create it from options provided to the authenticate call? This way applications can associate some of their own state with the login request. The passport standard AuthenticateOptions construct has a default state option that might be used for this.
• Would it be possible to expose the relaystate to the verify callback? I can pull it from the request, but I suppose it is cleaner if it is exposed in the API. This way the application can 'recover' the state associated with the login request after the callback.

Regards,
Joost

[srd90]

Would it be not more opportune to either omit, or otherwise create it from options provided to the authenticate call?

Side note:
Based on this comment #157 (comment)
in case of redirect binding (which is default for authnrequestbinding) is used one can already pass RelayState via options object for authenticate function.

See also these codes:

passport-saml/src/strategy.ts

Lines 201 to 202 in 72effd8

	// Defaults to HTTP-Redirect
	this.redirect(await this._saml.getAuthorizeUrlAsync(RelayState, host, options));

and
https://github.com/node-saml/node-saml/blob/7bf1593d8cb6d4e7b0adf0d709a35ee4725c942c/src/saml.ts#L502-L516
and
https://github.com/node-saml/node-saml/blob/7bf1593d8cb6d4e7b0adf0d709a35ee4725c942c/src/saml.ts#L498

[reuzel]

Thank for pointing that out, overriding the RelayState via the options will work for me.

However, I still wonder why the RelayState is fetched from the request in this particular case. You may consider removing it, unless it is part of some particular flow I don't understand at this moment...