Federation Transaction failing with ACS_INVALID_TARGET
search cancel

Federation Transaction failing with ACS_INVALID_TARGET

book

Article ID: 259592

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Federation Transaction Failing with --> ACS_INVALID_TARGET

Below Observed in the logs 

[AssertionConsumer.java][getRealmForTarget][targetURL:f04acd13-f761-4376-942a-2355b85974f5 usingRelayState: true]
[FWSBase.java][validateTarget][Invalid TARGET resource Requested. Target=f04acd13-f761-4376-942a-2355b85974f5.]
[AssertionConsumer.java][getRealmForTarget][Invalid target URL: f04acd13-f761-4376-942a-2355b85974f5]
[AssertionConsumer.java][getRealmForTarget][Ending SAML2 AssertionConsumer Service request processing with HTTP error 400]
[AssertionConsumer.java][getRealmForTarget][Transaction with ID: 9c97d86a-c975bae9-36fda387-8847b514-92f625c3-c failed. Reason: ACS_INVALID_TARGET]

Environment

Release : 12.8.x

Resolution

This can be caused by an Invalid RelayState value.

Per our guide and SAML Standard , the RelayState must be URL encoded when Initiating SP or IDP SAML transaction .

Please see link below for more details 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/urls-to-initiate-single-sign-on.html

In this scenario, the Following RelayState value was used to trigger a Siteminder SP initiated request 

GET https://accessgateway.test/affwebservices/public/saml2authnrequest?
ProviderID=IDPID
&RelayState=ss%3Amem%3A67e49e9f223714d445fd3e458800a518af2b9ed87da344d5486a77a7c70966e5

As you can see , The RelayState is not a Valid URL , Siteminder still generated a SAMLRequest and passed it to IDP which returned an assertion .

Siteminder attempted to consume the assertion and validate The RelayState Value ( since SP partnership configured with "Relay State overrides target") .

Since the value of the RelayState is not a valid URL, Siteminder will return the below 

 

[AssertionConsumer.java][getRealmForTarget][targetURL:f04acd13-f761-4376-942a-2355b85974f5 usingRelayState: true]
[FWSBase.java][validateTarget][Invalid TARGET resource Requested. Target=f04acd13-f761-4376-942a-2355b85974f5.]
[AssertionConsumer.java][getRealmForTarget][Invalid target URL: f04acd13-f761-4376-942a-2355b85974f5]
[AssertionConsumer.java][getRealmForTarget][Ending SAML2 AssertionConsumer Service request processing with HTTP error 400]
[AssertionConsumer.java][getRealmForTarget][Transaction with ID: 9c97d86a-c975bae9-36fda387-8847b514-92f625c3-c failed. Reason: ACS_INVALID_TARGET]

 

a URL encoded value must be used in the RelayState to fix this issue

 

Powered by Wolken Software