Layer7 Access Management

Expand all | Collapse all

RelayState parameter truncated

Jump to Best Answer
  • 1.  RelayState parameter truncated

    Posted 09-03-2016 06:11 AM

    we have a customer who is using the relay state to pass the target location where they want to land on the target application but the URL which i see on our fed logs shows the URL is incomplete and they end up on a different page 

     

     

    before posting to our ACS location it shows entire URL on SAML tracer

    http://saml.cummins.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=ca.ondemand.saml.20.post.CumminsIT-prod&RelayState=https://ondemand.ca.com/fedsso?targetUrl=https://cppm9092.ondemand.ca.com/niku/app?action=itl.riskObject&odf_pk=5015064&id=5011042&ui.page.space=mainnav.work&tenantId=clarity&returnUrl=https://access.cummins.com&lang=EN&cntry=US HTTP/1.1

    but the parameter which we see in our logs is as below 

    RelayState: https://ondemand.ca.com/fedsso?targetUrl=https://cppm9092.ondemand.ca.com/niku/app?action=itl.riskObject

    Any suggestions on this


  • 2.  Re: RelayState parameter truncated
    Best Answer

    Posted 09-04-2016 10:54 PM

    Hi Anil,

     

    The truncation might due to the ampersand within the RelayState URL. URL encode the RelayState value should resolves the issue, example:

     

    RelayState=https%3A%2F%2Fondemand.ca.com%2Ffedsso%3FtargetUrl%3Dhttps%3A%2F%2Fcppm9092.ondemand.ca.com%2Fniku%2Fapp%3Faction%3Ditl.riskObject%26odf_pk%3D5015064%26id%3D5011042%26ui.page.space%3Dmainnav.work%26tenantId%3Dclarity%26returnUrl%3Dhttps%3A%2F%2Faccess.cummins.com%26lang%3DEN%26cntry%3DUS



  • 3.  Re: RelayState parameter truncated

    Posted 09-06-2016 04:04 AM
      |   view attached

    i have used the relay state url encoded but the customer (IDP) system  decodes the URL , Do we have any way we can restrict thiis decoding . attached file which we can use samltracer(firefox addon)  to see the flow

    Attachment(s)

    zip
    cumminsit.csv.zip   21K 1 version


  • 4.  Re: RelayState parameter truncated

    Posted 09-06-2016 07:31 PM

    Hi Anil,

     

     

    Maybe double-encode the RelayState URL?



  • 5.  Re: RelayState parameter truncated



  • 6.  Re: RelayState parameter truncated

    Posted 09-07-2016 06:32 PM

    Hi Anil,

     

    If IdP is Siteminder, there's no options to prohibit the encoding.

     

    The equal sign after RelayState does not need to be encoded. The RelayState URL value above is triple-encoded?

     

    What's the RelayState value returned after you POST the double-encoded RelayState URL value to IdP?



  • 7.  Re: RelayState parameter truncated

    Posted 09-13-2016 12:26 PM

    I would agree URL encode the RelayState value should resolves the issue. It is documented in TEC529287.

     

    Anil, you should double check your encoding as mentioned by others.  I also found an ACO parameter which may help, but it was designed for windows agent, you may try on any agent though.

     

    How to Allow the NTC to Encode URLs During Redirects to Protected Resources:

     

    DisableI18N

    Specifies how the Windows credential collector (NTC) processes the TARGET URL during authentication when the characters of the TARGET URL use HTTP encoding. When the value of this parameter is no, any characters in the URL are decoded during authentication. The decoded characters are used in the redirect to the TARGET resource. When the value of this parameter is yes, characters in the TARGET URL are not decoded during authentication. Any characters using HTTP encoding remain encoded before and after authentication.

     

    Default: No.



  • 8.  Re: RelayState parameter truncated

    Posted 09-04-2016 10:54 PM

    Hi,

     

    Please URL-encode the RelayState value.

    I hope this would help.

     

    Regards,

    Koichi



  • 9.  Re: RelayState parameter truncated

    Posted 09-08-2016 06:45 AM

    Did you try setting SecureURLs parameter to YES ?