Issue:
Protecting Federation Services with CA Access Gateway (SPS), when I try to pass the relay state value to the backend Federation Services, then the value I wish to pass get all the query parameter, including the leading ? mark. I'd like to know how to achive this. I've configured the rule that way : <nete:cond type="uri" criteria="beginswith" <nete:case value="/myapp.html?"> <nete:forward>http://idp.myidpdomain.com/affwebservices/public/saml2sso?SPID=sp.myspdomain&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&Relaystate=$1</nete:forward> </nete:case> </nete:cond> and when I access the following URL : https://idp.myidpdomain.com/myapp.html?<RelaystateURL> then the RelayState value goes like this : RelayState = ?https://sp.myspdomain.com/saml/login/geyYSb5/Q1TH1b8zgwxa I want to have the leading "?" removed.
Resolution:
You might configure the rule using the expressions like this to get removed the leading ? character. <nete:case value="/myapp.html"> <nete:xprcond> <nete:xpr> <nete:rule>^/myapp.html\?(.*)</nete:rule> <nete:result>http://idp.myidpdomain.com/affwebservices/public/saml2sso?SPID=sp.myspdomain&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&RelayState=$1</nete:result> </nete:xpr> <nete:xpr-default> <nete:forward> http://idp.myidpdomain.com/affwebservices/public/saml2sso?SPID=sp.myspdomain&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</nete:forward> </nete:xpr-default> </nete:xprcond> </nete:case>
KB : KB000103226