I have an SP who redirects to us with an extra query string. For example,
instead of https://sso.company.com/affwebservices/public/saml2sso?SPID=https://sp.company.com they redirect to
When going to the first URL, my partnership works fine. When going to the second URL, my partnership throws a 403 as it says it can't find that SP.
Is there any way in the proxy rule, I can trim that second query string parameter?
What version / component is this?
I tried the scenario here on 12.52 SP1 Web Agent Option Pack (not SPS) and it didn't seem to throw any errors.
EntityID of https://mysp.somedomain.com
Non-standard parameters works as well but loses the query parameters on POST back
Standard RelayState works too and is sent back with POST
I'd really question why they're sending non-standard SAML parameter in an IdP-initiated authentication...Should really only use what is properly supported (1) by SAML itself and (2) by both IdP and SP.
-----------The <Response> message is then placed within an HTML FORM as a hidden form control named SAMLResponse. If the convention for identifying a specific application resource at the SP is supported at the IdP and SP, the resource URL at the SP can be encoded into the form using a hidden form control named RelayState.-----------
I'm not aware of SAML allowing other parameters/values (?).
It seems that parameter itself isn't causing the issue. They are also sending a SAMLRequest. That SAMLRequest seems to have an entityID with an & in it.
When I change my entity ID to the same, it gets saved as &
So when the SAMRequest rolls in, SM is not able to match the entity ID.
Is there anyway I can tell SM to ignore the SAMLRequest entirely?