Is RelayState part of signature verification?

book

Article ID: 36604

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



Is RelayState part of signature verification?

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Resolution

RelayState is indeed part of signature verification.

Signature Verification at the IDP will fail for the AuthnRequest if there is a change to the RelayState value.

For example,

     * Upper case and Lower case changes.

     * URL Encoding and decoding differences.

     * Change in the RelayState value itself.

 

Additional Information

- http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf #Page 16. #3.4.3 RelayState