search cancel

Problem with double encoding of OIDC state after upgrade to 12.8.02

book

Article ID: 133620

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

We're running CA Access Gateway (SPS), and implementing "Authorization

Endpoint Returns URL Encoded Response", we see that the response

gets double encoded :

The CA Access Gateway (SPS) gets Authorization request as :

   /affwebservices/myapp/oidc/authorize?SMASSERTIONREF=QUERY&response_type [...] &state=38271818-e3fe-4889-af3d-e2625cfee837%2COIDC

The CA Access Gateway (SPS) replies as :

  /commonauth? [...] &state=38271818-e3fe-4889-af3d-e2625cfee837%252COIDC

The state value gets double URL-encoded:

  state=38271818-e3fe-4889-af3d-e2625cfee837%252COIDC

  Decoded ONCE: state=38271818-e3fe-4889-af3d-e2625cfee837%2COIDC

  Decoded TWICE: state=38271818-e3fe-4889-af3d-e2625cfee837,OIDC

So the API gateways is not be able to interpret this and understand

that it needs to doubledecode.

How can we fix this ?


Resolution

Upgrade the CA Access Gateway (SPS) to version 12.8SP3 or 14.