Relay State was getting truncated in SAML POST

book

Article ID: 37590

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue: 

When the customer accessed the SP initiated URL with the relay state without encoding the relay state parameter, he was getting target like below:

When the relay state is: https://sp.ca.com/test?pageCd=test_page

Target is coming as: https://sp.ca.com/test?pageCd after truncation and in result getting 404 error

Environment:  

Federation versions running from R12 till R12.52

Cause: 

SAML affiliate is submitting a request to SAML 2.0 assertion producer that includes a Relay State parameter. When saml2sso is called, the Relay State parameter is intact. When affiliate services generates POST parameters to send to the assertion consumer, the Relay State parameter is getting truncated.

Resolution:

SAML 2.0 specification says, "If RelayState data is to accompany the SAML protocol message, it MUST be URL-encoded and placed in an additional query string parameter named RelayState." Adding URL encoding to RelayState will solve this issue and the RelayState will not be truncated.

Please find the link which might help in encoding the relay state URL:

http://meyerweb.com/eric/tools/dencoder/

RelayState:

Specifies the target at the Service Provider. You can use the RelayState query parameter to indicate the target destination, but this method is optional. Instead, you can specify the target configured in the SAML 2.0 authentication scheme. The authentication scheme also has an option to override the target with the RelayState query parameter.

URL-encode the RelayState value.

Example:

http://www.spdemo.com:81/affwebservices/public/saml2authnrequest?

 

ProviderID=idp.demo&RelayState=http%3A%2F%2Fwww.spdemo.com%2Fapps%2Fapp.jsp

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: