RelayState and Signature Verification Error

Blog Post created by SungHoon_Kim Employee on Jan 18, 2016


Is RelayState part of signature verification?



- SP Initiated Federation is resulting in Failed to Verify Signature.

- IDP Initiated Federation is working fine.

- Comparing the working and failing SP Initiated Federation appears to be change in the RelayState query parameter.





Is RelayState part of signature verification?



RelayState is indeed part of signature verification.

Signature Verification at the IDP will fail for the AuthnRequest if there is a change to the RelayState value.

For example,

     * Upper case and Lower case changes.

     * URL Encoding and decoding differences.

     * Change in the RelayState value itself.


Additional Information:

- #Page 16. #3.4.3 RelayState


** This article is now published as a KB article linked below.