search cancel

Problem with double encoding of OIDC state after upgrade to 12.8.02


Article ID: 133620


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER


We're running CA Access Gateway (SPS), and implementing "Authorization

Endpoint Returns URL Encoded Response", we see that the response

gets double encoded :

The CA Access Gateway (SPS) gets Authorization request as :

   /affwebservices/myapp/oidc/authorize?SMASSERTIONREF=QUERY&response_type [...] &state=38271818-e3fe-4889-af3d-e2625cfee837%2COIDC

The CA Access Gateway (SPS) replies as :

  /commonauth? [...] &state=38271818-e3fe-4889-af3d-e2625cfee837%252COIDC

The state value gets double URL-encoded:


  Decoded ONCE: state=38271818-e3fe-4889-af3d-e2625cfee837%2COIDC

  Decoded TWICE: state=38271818-e3fe-4889-af3d-e2625cfee837,OIDC

So the API gateways is not be able to interpret this and understand

that it needs to doubledecode.

How can we fix this ?


Upgrade the CA Access Gateway (SPS) to version 12.8SP3 or 14.