We followed Broadcom's documentation regarding SAML2 and RelayState and defined the RelayState in ADFS' "SAML Assertion Consumer Endpoint", however we are now facing the error below where there's a mismatch between the expected URL and the recieved URL (which will always have the RelayState in the URL). We can se that the SSO service properly parses the ssoProductCode and ssoRedirectURL.
ERROR | qtp123445-26 | 2022-05-09 11:11:00,566 | common.sso.saml2.UserAssertionService
| Wrong Destination. Expected: https://<PortalHostName>:8382/sso/saml2/UserAssertionService or https:///<PortalHostName>:8382/sso/saml2UserAssertionService.
Received: https:///<PortalHostName>:8382/sso/saml2/UserAssetionService?RelayState=SsoRedirectUrl=https://<PortalHostName>:8182/pc/desktop/page
Is there any way to bypass this error? Given that we followed PM's documentation in order to add the RelayState to the URL we question if the SSO service shouldn't take that into consideration and not throw an error.
Release : 20.x, 21.x
Component : SAML2 IdP (MicrosoftADFS) initiated login in PM
RelayState parameter encoded in the URL
RelayState parameter should be delivered in the message (POST) body:
Body should contain: SAMLResponse=<user assertion possibly encrypted>&RelayState=<relay state>
Please also confirm DNS. The /etc/hosts file should be properly setup to how SSO and DNS should work.
If anything is off, or not fully qualified/unqualified where it should be will also cause this error.
Destination entry in the UserAssertion (sent to SSO from IDP) gets compared against the <SsoScheme>://<NpcWebSiteHost>:<SsoPort>/sso/saml2/UserAssertionService.
If that doesn't match, it is treated as a bad Destination URL.
Any additional info in the Destination URL is not expected.