Symantec Access Management

 View Only
  • 1.  Proxy Rule Help

    Posted Aug 06, 2015 11:47 AM



    I have an SP who redirects to us with an extra query string. For example,


    instead of they redirect to


    When going to the first URL, my partnership works fine. When going to the second URL, my partnership throws a 403 as it says it can't find that SP.

    Is there any way in the proxy rule, I can trim that second query string parameter?




  • 2.  Re: Proxy Rule Help

    Posted Aug 06, 2015 12:28 PM

    What version / component is this?


    I tried the scenario here on 12.52 SP1 Web Agent Option Pack (not SPS) and it didn't seem to throw any errors.


    EntityID of


    This works


    Non-standard parameters works as well but loses the query parameters on POST back


    Standard RelayState works too and is sent back with POST


    I'd really question why they're sending non-standard SAML parameter in an IdP-initiated authentication...Should really only use what is properly supported (1) by SAML itself and (2) by both IdP and SP.


    The <Response> message is then placed within an HTML FORM as a hidden form control named SAMLResponse. If the convention for identifying a specific application resource at the SP is supported at the IdP and SP, the resource URL at the SP can be encoded into the form using a hidden form control named RelayState.

    I'm not aware of SAML allowing other parameters/values (?).

  • 3.  Re: Proxy Rule Help
    Best Answer

    Posted Aug 06, 2015 12:47 PM



    Thanks CBertagnolli


    It seems that parameter itself isn't causing the issue. They are also sending a SAMLRequest. That SAMLRequest seems to have an entityID with an & in it.


    When I change my entity ID to the same, it gets saved as &amp;


    So when the SAMRequest rolls in, SM is not able to match the entity ID.


    Is there anyway I can tell SM to ignore the SAMLRequest entirely?