ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Relay State was getting truncated in SAML POST in SPS and WAOP

book

Article ID: 37590

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When accessing the SP initiated URL with the relay state without
encoding the relay state parameter, the browser gets the target like
below:

When the relay state is:

  https://sp.ca.com/test?pageCd=test_page

Target is coming as:

  https://sp.ca.com/test?pageCd

after truncation and in result getting 404 error.

 

Cause

 

SAML affiliate is submitting a request to SAML 2.0 assertion producer
that includes a Relay State parameter. When saml2sso is called, the
Relay State parameter is intact. When affiliate services generate POST
parameters to send to the assertion consumer, the Relay State
parameter is getting truncated.

 

Environment

 

Federation all versions;

 

Resolution

 

SAML 2.0 specification mentions it should be URL-encoded (1), as the
Siteminder documentation too (2).

The following link might help in encoding the relay state URL (3).

 

Additional Information

 

(1)

    Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0

      If RelayState data is to accompany the SAML protocol message, it
      MUST be URL-encoded and placed in an additional query string
      parameter named RelayState.
  

(2)
    

    RelayState

      Indicates the URL of the target resource at the Service
      Provider. By including this query parameter, it tells the IdP to
      redirect the user the appropriate resource at the Service
      Provider. This query parameter can be used in place of
      specifying a target URL when configuring single sign-on. The
      RelayState query parameter name is case-sensitive, and the value
      must be URL-encoded.

  
(3)

    URL Decoder/Encoder