Symantec Access Management

Expand all | Collapse all

Tech Tip : CA Single Sign-On : RelayState

  • 1.  Tech Tip : CA Single Sign-On : RelayState

    Posted 05-04-2018 04:37 AM

    Issue:


    We're running a Federation Partnership using SAML2 and HTTP POST, and
    when the application does the POST, the RelayState is lost when the
    user is being redirected to the backend application.

    Can you explain us why ? How can we solve this ?

     

    Environment:

     

    Policy Server 12.52SP1CR00 on Windows 2008R2;

     

    Cause:

     

    You aren't using a Session Store for the Partnership. As per the
    documentation, you do need to run one with the Policy Server

    As the requests are IdP initiated, the Session Store should be enabled
    on the IdP to be able to handle the requests using HTTP-POST:

    "Important! Before you configure the authentication request binding,
    enable the session store. For the IdP to handle an authentication
    request that is delivered using HTTP-POST binding, the IdP must store
    the request in the session store."

     

    Enable the HTTP-POST Binding at the IdP

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/saml-2-0-feature-configuration/saml-2-0-http-post-binding-configuration#SAML2.0HTTP-POSTBindingConfiguration-EnabletheHTTP-POSTBindingattheIdP

    Resolution:

     

    Implement a Session Store with the Policy Server to solve this issue;

     

    KB : KB000094704



  • 2.  Re: Tech Tip : CA Single Sign-On : RelayState

    Posted 05-07-2018 04:55 AM

    Hello Patrick-Dussault,

     

    You can mentioned "As the requests are IdP initiated, the Session Store should be enabled" , I suppose you mean when the request are SP Initiated and SP sends the Authn Request through Post ? Or i am missing something here?

     

    Thank You

    Ankur Taneja



  • 3.  Re: Tech Tip : CA Single Sign-On : RelayState

    Posted 05-07-2018 05:03 AM

    Hi Ankur,

     

    Indeed, HTTP POST binding will start at SP side. Then the session store should be enabled at IdP side to store the request.

     

    Hope this bring precision

     

    Patrick