SungHoon_Kim

RelayState and Signature Verification Error

Blog Post created by SungHoon_Kim Employee on Jan 18, 2016

Title:

Is RelayState part of signature verification?

 

Description:

- SP Initiated Federation is resulting in Failed to Verify Signature.

- IDP Initiated Federation is working fine.

- Comparing the working and failing SP Initiated Federation appears to be change in the RelayState query parameter.

 

-----------------------------------------------------

 

Question:

Is RelayState part of signature verification?

 

Answer:

RelayState is indeed part of signature verification.

Signature Verification at the IDP will fail for the AuthnRequest if there is a change to the RelayState value.

For example,

     * Upper case and Lower case changes.

     * URL Encoding and decoding differences.

     * Change in the RelayState value itself.

 

Additional Information:

- http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf #Page 16. #3.4.3 RelayState

 

** This article is now published as a KB article linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1247034.aspx

Outcomes