search cancel

ERROR | Wrong destination. | SAML2 Authentication with Custom RelayState in IdP initiated login


Article ID: 241551


Updated On:


CA Performance Management - Usage and Administration DX NetOps


We followed Broadcom's documentation regarding SAML2 and RelayState and defined the RelayState in ADFS' "SAML Assertion Consumer Endpoint", however we are now facing the error below where there's a mismatch between the expected URL and the recieved URL (which will always have the RelayState in the URL). We can se that the SSO service properly parses the ssoProductCode and ssoRedirectURL.

ERROR | qtp123445-26    | 2022-05-09 11:11:00,566   |   common.sso.saml2.UserAssertionService
              | Wrong Destination.    Expected: or https:/// 
Received: https:///

Is there any way to bypass this error? Given that we followed PM's documentation in order to add the RelayState to the URL we question if the SSO service shouldn't take that into consideration and not throw an error.



RelayState parameter encoded in the URL


Release : 20.x, 21.x

Component : SAML2 IdP (MicrosoftADFS) initiated login in PM


RelayState parameter should be delivered in the message (POST) body:
Body should contain: SAMLResponse=<user assertion possibly encrypted>&RelayState=<relay state>

Additional Information

Destination entry in the UserAssertion (sent to SSO from IDP) gets compared against the <SsoScheme>://<NpcWebSiteHost>:<SsoPort>/sso/saml2/UserAssertionService.

If that doesn't match, it is treated as a bad Destination URL.
Any additional info in the Destination URL is not expected.