Symantec Access Management

  • Private Community
 View Only

  • 1.  RelayState Parameter

    Posted Nov 04, 2014 03:44 PM

    We are working with a vendor to establish federation and they are the service provider for us.

    User hits the SP first and they are using redirect(not SAML AuthnRequest) to us with relaystate parameter in query string to do authentication.

     

    Problem happens when relaystate parameter has additional parameter with '&' in it. Can you suggest on how we can solve that issue.

     

    RelayState is something like this

     

    /abc81/app/management/AMW_ActDetails.aspx?UserMode=0&ActivityId=123456

     

    Redirect Request looks something like below.

    /timc/affwebservices/redirectjsp/redirect.jsp?SPID=Vendor1&RelayState=%2fabc81%2fapp%2fmanagement%2fAMW_ActDetails.aspx%3fUserMode%3d0%26ActivityId%3d123456&SMPORTALURL=https%3A%2F%2Fsamlssoqa.xxxxxxxxxxxxxxxxxxxxxx2Fpublic%2Fsaml2sso 902 no-store text/html; charset=iso-8859-1 iexplore:14560

     

    After Authentication is done, Siteminder is not passing additional parameter(ActivityId=123456) as RelayState.

    We are using Siteminder 12.0 SP3

     

    Any help is greatly appreciated.

     

    Thanks,

    Nitin



  • 2.  Re: RelayState Parameter

    Posted Nov 05, 2014 02:42 AM

    Hello,

     

    Did you try to encode the RelayState URL so the rest of the query string will not be ripped off ?

     

    Hope it helps,

     

    Julien.



  • 3.  Re: RelayState Parameter

    Posted Nov 05, 2014 10:58 AM

    Hi Julien,

     

    Here is what I see in fiddler trace header variable

     

    GET /jim/affwebservices/public/saml2sso?SPID=Vendor1&RelayState=%2fabc81%2fapp%2fmanagement%2fAMW_ActDetails.aspx%3fUserMode%3d0%26ActivityId%3d123456 HTTP/1.1

     

    You meant URL encoding correct?

    Not sure if anything else is needed.

     

    Thanks,

    Nitin



  • 4.  Re: RelayState Parameter

    Posted Nov 05, 2014 08:02 AM

    Nitin

     

    Could you confirm this for me please...

     

    • Is the RelayState already encoded even before it reaches IdP i.e. SiteMinder?
    • Would you be able to paste the exact complete URL hosted on SP Side? not what is present in AffWebServices log.

     

    Just another alternative

    • Is there a possibility of alter the URL
    • i.e. instead of /abc81/app/management/AMW_ActDetails.aspx?UserMode=0&ActivityId=123456
    • use /0/12345/abc81/app/management/AMW_ActDetails.aspx.
    • thus you don't have to worry about query parameters.
    • all URI would be unique and the AMW_ActDetails,aspx knows that the values before /abc81/app/management/AMW_ActDetails.aspx means something.

     

     

    Regards

     

    Hubert