Symantec Access Management

Expand all | Collapse all

Proxy Rule Help

Jump to Best Answer
  • 1.  Proxy Rule Help

    Posted 08-06-2015 11:47 AM

    Hi,

     

    I have an SP who redirects to us with an extra query string. For example,

     

    instead of https://sso.company.com/affwebservices/public/saml2sso?SPID=https://sp.company.com they redirect to

     

    https://sso.company.com/affwebservices/public/saml2sso?SPID=https://sp.company.com&externalSite=true


    When going to the first URL, my partnership works fine. When going to the second URL, my partnership throws a 403 as it says it can't find that SP.


    Is there any way in the proxy rule, I can trim that second query string parameter?

     

    Regards,

    Anand.



  • 2.  Re: Proxy Rule Help

    Posted 08-06-2015 12:28 PM

    What version / component is this?

     

    I tried the scenario here on 12.52 SP1 Web Agent Option Pack (not SPS) and it didn't seem to throw any errors.

     

    EntityID of https://mysp.somedomain.com

     

    This works

    https://myidp.somedomain.com/affwebservices/public/saml2sso?SPID=https://mysp.somedomain.com

     

    Non-standard parameters works as well but loses the query parameters on POST back

    https://myidp.somedomain.com/affwebservices/public/saml2sso?SPID=https://mysp.somedomain.com&testQuery=one&anotherTest=yetanother

     

    Standard RelayState works too and is sent back with POST

    https://myidp.somedomain.com/affwebservices/public/saml2sso?SPID=https://mysp.somedomain.com&RelayState=myrelay

     

    I'd really question why they're sending non-standard SAML parameter in an IdP-initiated authentication...Should really only use what is properly supported (1) by SAML itself and (2) by both IdP and SP.

     

    -----------
    The <Response> message is then placed within an HTML FORM as a hidden form control named SAMLResponse. If the convention for identifying a specific application resource at the SP is supported at the IdP and SP, the resource URL at the SP can be encoded into the form using a hidden form control named RelayState.
    -----------


    I'm not aware of SAML allowing other parameters/values (?).



  • 3.  Re: Proxy Rule Help
    Best Answer

    Posted 08-06-2015 12:47 PM

    Hi,

     

    Thanks CBertagnolli

     

    It seems that parameter itself isn't causing the issue. They are also sending a SAMLRequest. That SAMLRequest seems to have an entityID with an & in it.

     

    When I change my entity ID to the same, it gets saved as &amp;

     

    So when the SAMRequest rolls in, SM is not able to match the entity ID.

     

    Is there anyway I can tell SM to ignore the SAMLRequest entirely?


    Regards,

    Anand.