search cancel

ERROR | Wrong destination. | SAML2 Authentication with Custom RelayState in IdP initiated login

book

Article ID: 241551

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

We followed Broadcom's documentation regarding SAML2 and RelayState and defined the RelayState in ADFS' "SAML Assertion Consumer Endpoint", however we are now facing the error below where there's a mismatch between the expected URL and the recieved URL (which will always have the RelayState in the URL). We can se that the SSO service properly parses the ssoProductCode and ssoRedirectURL.

ERROR | qtp123445-26    | 2022-05-09 11:11:00,566   |   common.sso.saml2.UserAssertionService
              | Wrong Destination.    Expected: https://netops.pc_node.net:8382/sso/saml2/UserAssertionService or https:///netops.pc_node.net:8382/sso/saml2UserAssertionService. 
Received: https:///netops.pc_node.net:8382/sso/saml2/UserAssetionService?RelayState=SsoRedirectUrl=https://netops.pc_node.net:8182/pc/desktop/page

Is there any way to bypass this error? Given that we followed PM's documentation in order to add the RelayState to the URL we question if the SSO service shouldn't take that into consideration and not throw an error.

 

Cause

RelayState parameter encoded in the URL

Environment

Release : 20.x, 21.x

Component : SAML2 IdP (MicrosoftADFS) initiated login in PM

Resolution

RelayState parameter should be delivered in the message (POST) body:
Body should contain: SAMLResponse=<user assertion possibly encrypted>&RelayState=<relay state>

Additional Information

Destination entry in the UserAssertion (sent to SSO from IDP) gets compared against the <SsoScheme>://<NpcWebSiteHost>:<SsoPort>/sso/saml2/UserAssertionService.

If that doesn't match, it is treated as a bad Destination URL.
Any additional info in the Destination URL is not expected.