I have successfully configured SAML SSO with OpenAM as SP and PingFederate as IDP with SP-Initiated SSO and using Redirect-Post binding. I am using kerberos adapter for implementing SSO.
However I cannot pass RelayState parameter from OpenAM to PF and get it back as part of SAML auto post form after successful authentication. It always redirects to OpenAM Assertion Processing Service i.e. openam/metalias/sp
Things I tried -
I created binding in Idp in attributes mapping with name "RelayState" but it appears as part of signed SAMLResponse and not extra parameter in the auto post back form, so openam is not able to get RelayState.
I also tried passing RelayState as url-encoded as well as passing it with name TargetResource. But no luck.
<!-- template name: form.autopost.template.html -->
#set( $messageKeyPrefix = "form.autopost.template." )
<html>
<head>
<title>$templateMessages.getMessage($messageKeyPrefix, "title")</title>
<meta name="referrer" content="origin"/>
<meta http-equiv="x-ua-compatible" content="IE=edge" />
</head>
<body onload="javascript:document.forms[0].submit()">
<noscript>
<p>
<strong>$templateMessages.getMessage($messageKeyPrefix, "noteTitle"):</strong> $templateMessages.getMessage($messageKeyPrefix, "note")
</p>
</noscript>
<form method="post" action="$action">
#foreach( $name in $formControls.keySet() )
<input type="hidden" name="$escape.escape($name)" value="$escape.escape($formControls.get($name))"/>
#end
<input type="hidden" name="RelayState" value="https://www.google.com"/>
<noscript><input type="submit" value="$templateMessages.getMessage($messageKeyPrefix, "resume")"/></noscript>
</form>
</body>
</html>
I out of curiosity modified pingfederate autopost form to foce include RelayState parameter and it it worked.
So I need to find a way where I can pass this information to PF and PF can then pass it back to SP-OpenAM after authentication done adding extra parameter to SAMLResponse form.
Using 'saml2/jsp/spSSOInit.jsp' instead of SAML2 authentication module URL solved this issue.