ERROR | Wrong destination. | SAML2 Authentication with Custom RelayState in IdP initiated login
Article ID: 241551
Updated On: 10-12-2023
Products
Issue/Introduction
We followed Broadcom's documentation regarding SAML2 and RelayState and defined the RelayState in ADFS' "SAML Assertion Consumer Endpoint", however we are now facing the error below where there's a mismatch between the expected URL and the recieved URL (which will always have the RelayState in the URL). We can se that the SSO service properly parses the ssoProductCode and ssoRedirectURL.
ERROR | qtp123445-26 | 2022-05-09 11:11:00,566 | common.sso.saml2.UserAssertionService
| Wrong Destination. Expected: https://<PortalHostName>:8382/sso/saml2/UserAssertionService or https:///<PortalHostName>:8382/sso/saml2UserAssertionService.
Received: https:///<PortalHostName>:8382/sso/saml2/UserAssetionService?RelayState=SsoRedirectUrl=https://<PortalHostName>:8182/pc/desktop/pageIs there any way to bypass this error? Given that we followed PM's documentation in order to add the RelayState to the URL we question if the SSO service shouldn't take that into consideration and not throw an error.
Environment
Release : 20.x, 21.x
Component : SAML2 IdP (MicrosoftADFS) initiated login in PM
Cause
RelayState parameter encoded in the URL
Resolution
RelayState parameter should be delivered in the message (POST) body:
Body should contain: SAMLResponse=<user assertion possibly encrypted>&RelayState=<relay state>
Please also confirm DNS. The /etc/hosts file should be properly setup to how SSO and DNS should work.
If anything is off, or not fully qualified/unqualified where it should be will also cause this error.
Additional Information
Destination entry in the UserAssertion (sent to SSO from IDP) gets compared against the <SsoScheme>://<NpcWebSiteHost>:<SsoPort>/sso/saml2/UserAssertionService.
If that doesn't match, it is treated as a bad Destination URL.
Any additional info in the Destination URL is not expected.
Feedback
