ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Relay State was getting truncated in SAML POST in SPS and WAOP
Article ID: 37590
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
SITEMINDER
CA Single Sign On Federation (SiteMinder)
Issue/Introduction
When accessing the SP initiated URL with the relay state without
encoding the relay state parameter, the browser gets the target like
below:
When the relay state is:
https://sp.ca.com/test?pageCd=test_page
Target is coming as:
https://sp.ca.com/test?pageCd
after truncation and in result getting 404 error.
Cause
SAML affiliate is submitting a request to SAML 2.0 assertion producer
that includes a Relay State parameter. When saml2sso is called, the
Relay State parameter is intact. When affiliate services generate POST
parameters to send to the assertion consumer, the Relay State
parameter is getting truncated.
Environment
Federation all versions;
Resolution
SAML 2.0 specification mentions it should be URL-encoded (1), as the
Siteminder documentation too (2).
The following link might help in encoding the relay state URL (3).
Additional Information
(1)
Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0
If RelayState data is to accompany the SAML protocol message, it
MUST be URL-encoded and placed in an additional query string
parameter named RelayState.
(2)
RelayState
Indicates the URL of the target resource at the Service
Provider. By including this query parameter, it tells the IdP to
redirect the user the appropriate resource at the Service
Provider. This query parameter can be used in place of
specifying a target URL when configuring single sign-on. The
RelayState query parameter name is case-sensitive, and the value
must be URL-encoded.
(3)
Feedback
Yes
No
Powered by
