Relay State Overrides Target - ignored in WSFED

book

Article ID: 7979

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We have implemented WSFED Partnership with Relay State Overrides Target feature enabled and CA SSO is local RP (Resource Provider) while ADFS is remote IP (Identity/Account Provider).

It works very well with fix target url.

However, RelayState is ignored and user always finishes on the target specified in the partnership configuration.

 

How can we correctly configure "Relay State Overrides Target" feature in WSFED partnership?

Cause

Relay State Overrides Target is only supported with SAML 2.0

The WSFED RP-to-IP (Relying Party to Identity Provider) partnership does not support the RP entity with the SAML 2.0 token type

WSFED RP Entity with SAML 2.0 Token Type Not Supported (167916)

 

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/PDF/siteminder_fed_release_enu.pdf (page 27)

Environment

CA SSO 12.52SP1 CR00 PS on Linux RH 6.8 x64 CA Access Gateway 12.52 CR07 on Linux RH 6.8 x64

Resolution

To use the Relay State Overrides Target feature, you will have to configure a SAML 2.0 Partnership

Relay State Overrides Target (SAML 2.0 only)

 

(Optional) Replaces the target field value with the Relay State query parameter value in the request that initiates single sign-on. By selecting this option, you have more control over the target because using the Relay State query parameter lets you dynamically define the target.

Additional Information

https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/using/administrative-ui-help/federation-partnerships-reference/application-integration-relying-party