ERROR | Wrong destination. | SAML2 Authentication with Custom RelayState in IdP initiated login
search cancel

ERROR | Wrong destination. | SAML2 Authentication with Custom RelayState in IdP initiated login

book

Article ID: 241551

calendar_today

Updated On:

Products

CA Performance Management Network Observability

Issue/Introduction

We followed Broadcom's documentation regarding SAML2 and RelayState and defined the RelayState in ADFS' "SAML Assertion Consumer Endpoint", however we are now facing the error below where there's a mismatch between the expected URL and the recieved URL (which will always have the RelayState in the URL). We can se that the SSO service properly parses the ssoProductCode and ssoRedirectURL.

ERROR | qtp123445-26    | 2022-05-09 11:11:00,566   |   common.sso.saml2.UserAssertionService
              | Wrong Destination.    Expected: https://<PortalHostName>:8382/sso/saml2/UserAssertionService or https:///<PortalHostName>:8382/sso/saml2UserAssertionService. 
Received: https:///<PortalHostName>:8382/sso/saml2/UserAssetionService?RelayState=SsoRedirectUrl=https://<PortalHostName>:8182/pc/desktop/page

Is there any way to bypass this error? Given that we followed PM's documentation in order to add the RelayState to the URL we question if the SSO service shouldn't take that into consideration and not throw an error.

 

Environment

Release : 20.x, 21.x

Component : SAML2 IdP (MicrosoftADFS) initiated login in PM

Cause

RelayState parameter encoded in the URL

Resolution

RelayState parameter should be delivered in the message (POST) body:
Body should contain: SAMLResponse=<user assertion possibly encrypted>&RelayState=<relay state>

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/dx-netops/22-2/Performance-Monitoring-with-DX-Performance-Management/securing/single-sign-on/set-up-saml-2-0-support/how-to-set-up-saml-authentication/configure-the-idp.html

Please also confirm DNS.  The /etc/hosts file should be properly setup to how SSO and DNS should work.

If anything is off, or not fully qualified/unqualified where it should be will also cause this error.

Additional Information

Destination entry in the UserAssertion (sent to SSO from IDP) gets compared against the <SsoScheme>://<NpcWebSiteHost>:<SsoPort>/sso/saml2/UserAssertionService.

If that doesn't match, it is treated as a bad Destination URL.
Any additional info in the Destination URL is not expected.