RelayState configuration in IdP and SP for Federation Siteminder
search cancel

RelayState configuration in IdP and SP for Federation Siteminder

book

Article ID: 136752

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

Where should the RelayState parameter be configured, at the Identity Provider (IdP) or Service Provider (SP) side?

 

Resolution

 

The RelayState doesn't indicate a SPID, but the target page to which the IdP will send the browser to.

Here is a sample on how the RelayState can be configured. The RelayState should be set on SP in an SP initiated flow (1).

From the last log, the SPID needs to be set to

  https://mysp.example.com/


  [08/14/2019][09:51:45][10604][9564][<Transaction ID>]
  [SAMLTunnelClient.java][getServiceProviderInfoByID][Tunnel result code: 1.]


  [08/14/2019][09:51:45][10604][9564][<Transaction ID>]
  [SAMLTunnelClient.java][getServiceProviderInfoByID][SAMLTunnelStatus: 5, Failed to obtain Service Provider data by provider ID. Provider ID: https://mysp.example.com/]


  [08/14/2019][09:51:45][10604][9564][<Transaction ID>]
  [SAML2Base.java][getServiceProviderInfo][SAML2.0 SP Configuration is not in cache. Requesting to get from policy server [CHECKPOINT = SSOSAML2_SPCONFFROMPS_REQ]]


  [08/14/2019][09:51:45][10604][9564][<Transaction ID>]
  [SSO.java][processRequest][Transaction with ID: <Transaction ID> failed. Reason: NO_PROVIDER_INFO_FOUND]


 this error can happen if the JVM's does not have JCE patches applied. It can also happen  if there's an accentuated character in the SPID (2)(3)(4).

 

Additional Information

 

(1)

    TECH TIP: How to send a RelayState parameter on a SAML federation from Access Gateway?
    
    
(2)

    How To Become a SAML Service Provider
    
    
(3)
    
    SiteMinder SimpleSAMLPHP integration : No SAML2 provider information found for SP
    
    
(4)
    
    Tech Tip : CA Single Sign-On : Web Agent Option Pack return 403 when Service Provider has accentuated character