Issue:

We have implemented WSFED Partnership with Relay State Overrides Target feature enabled and CA SSO is local RP (Resource Provider) while ADFS is remote IP (Identity/Account Provider).

It works very well with fix target url.

However, RelayState is ignored and user always finishes on the target specified in the partnership configuration.

How can we correctly configure "Relay State Overrides Target" feature in WSFED partnership?

Environment:

CA SSO 12.52SP1 CR00 PS on Linux RH 6.8 x64 CA Access Gateway 12.52 CR07 on Linux RH 6.8 x64

Cause:

Relay State Overrides Target is only supported with SAML 2.0

The WSFED RP-to-IP (Relying Party to Identity Provider) partnership does not support the RP entity with the SAML 2.0 token type

WSFED RP Entity with SAML 2.0 Token Type Not Supported (167916)

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/PDF/siteminder_fed_release_enu.pdf (page 27)

Resolution:

To use the Relay State Overrides Target feature, you will have to configure a SAML 2.0 Partnership

Relay State Overrides Target (SAML 2.0 only)

(Optional) Replaces the target field value with the Relay State query parameter value in the request that initiates single sign-on. By selecting this option, you have more control over the target because using the Relay State query parameter lets you dynamically define the target.

Additional Information:

https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/using/administrative-ui-help/federation-partnerships-reference/application-integration-relying-party

KD : TEC1026294