SP-Initiated SSO failure for complex relayStates

We have configured SAML 2.0 Federated SSO with Salesforce.com. The IdP setup is CA Federation Manager and LDAP.

The configuration works perfectly for IdP-initiated login and SP-initiated login with basic relayStates, such as /OpportunityID.

If we try to login with a relayState like /001Z000000TwB6y/e?retURL=%2F001Z000000TwB6y , for example, we receive a failure within the IdP. The signature is not validated and no SAML response is sent.

The internal employees believe that it has to do with double escaping of the relayState (e.g. the URL above is already escaped in the browser and as per SAML requests, it will encode the entire string 1 more time). They are saying that because some characters are single encoded and some are double encoded, Federation Manager does not know how to handle this. I disagree with this, because this is standard SP-initiated SSO (see Wikipedia). Also, the SFDC techs have tried this exact setup on another IdP with the same relayState and it works fine.

Any thoughts on what might be occurring?

Answer

It’s possible that the IDP is incorrectly encoding the URL, maybe pulling it out of a param which is URL decoded, and then not re-encoding as it is serialized. Result is parameters are likely getting dropped.

This kind of URL works fine with IDPs that handle encoding properly…

https://identity.my.salesforce.com/setup/forcecomHomepage.apexp?setupid=ForceCom&retURL=%2Fhome%2Fhome.jsp%3Fsdtd%3D1

Attribution
Source : Link , Question Author : tannershamrock , Answer Author : metadaddy

Leave a Comment