I have installed CA Access Gateway (SPS) 12.7 and I'am testing for first time a Parnership Federation with Policy Server 12.7, so that CA Access Gateway (SPS) is acting as SAML2 IdP and myseconddomain http://www.myseconddomain.com/ is acting as SAML2 SP. Login pages are on the CA Access Gateway (SPS). When I start login flow from sp.myseconddomain.com, the Authentication URL redirects properly to login page where both authentication and authrozation are processed successfully and a SMSESSION is created. The problem occurs with redirect.jsp. When the browser goes to that redirect.jsp page, the browser doesn't get redirected back to the Federation Resource /affwebservices/public/saml2sso. I have configured the Authentication URL to https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp in Parnership Federation Configuration. In CA Access Gateway (SPS) Federation has been enabled and the Authentication URL has been set to default siteminderagent/redirectjsp there. First login fails because of redirect. In second try when SMSESSION exists already login flow is successful. SAML response is returned to myseconddomain SP site.
From the flow, we see the SMPORTALURL is encrypted : https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp?SAMLRequest=dasdSADDQdasDasDEASsDASda223qdasDSasewS%3&RelayState=cookie%3A1529414dsa4d45454&SMPORTALURL=KdleL33sa2slslaxxsldllewsa&SAMLTRANSACTIONID=e1e30973-c7df59c2-9dfds9ce-5rdd355e-7e9ww830-4f Here we should see the SMPORTALURL value decrypted.
Disable the "Use Secure URL" option in the Partnership, this will only URL Encode the SMPORTALURL value, to avoid the Federation Service to redirect the browser to an encrypted target value.
KB : KB000102821