Symantec Access Management

we have a customer who is using the relay state to pass the target location where they want to land on the target application but the URL which i see on our fed logs shows the URL is incomplete and they end up on a different page 

before posting to our ACS location it shows entire URL on SAML tracer

http://saml.cummins.com/affwebservices/public/saml2sso?SMASSERTIONREF=QUERY&SPID=ca.ondemand.saml.20.post.CumminsIT-prod&RelayState=https://ondemand.ca.com/fedsso?targetUrl=https://cppm9092.ondemand.ca.com/niku/app?action=itl.riskObject&odf_pk=5015064&id=5011042&ui.page.space=mainnav.work&tenantId=clarity&returnUrl=https://access.cummins.com&lang=EN&cntry=US HTTP/1.1

but the parameter which we see in our logs is as below 

RelayState: https://ondemand.ca.com/fedsso?targetUrl=https://cppm9092.ondemand.ca.com/niku/app?action=itl.riskObject

Any suggestions on this 

Hi Anil,

The truncation might due to the ampersand within the RelayState URL. URL encode the RelayState value should resolves the issue, example:

RelayState=https%3A%2F%2Fondemand.ca.com%2Ffedsso%3FtargetUrl%3Dhttps%3A%2F%2Fcppm9092.ondemand.ca.com%2Fniku%2Fapp%3Faction%3Ditl.riskObject%26odf_pk%3D5015064%26id%3D5011042%26ui.page.space%3Dmainnav.work%26tenantId%3Dclarity%26returnUrl%3Dhttps%3A%2F%2Faccess.cummins.com%26lang%3DEN%26cntry%3DUS

i have used the relay state url encoded but the customer (IDP) system  decodes the URL , Do we have any way we can restrict thiis decoding . attached file which we can use samltracer(firefox addon)  to see the flow

Hi Anil,

Maybe double-encode the RelayState URL?

Double encoded the Relay State value but the issue is not resolved . Do we have any way to enforce not to decode this on IDP side 

http://saml.cummins.com/affwebservices/public/saml2sso?SPID=ca.ondemand.saml.20.post.CumminsIT-prod&RelayState%253Dhttps%25253A%25252F%25252Fondemand.ca.com%25252Ffedsso%25253FtargetUrl%25253Dhttps%2525253A%2525252F%2525252Fcppm9092.ondemand.ca.com%2525252Fniku%2525252Fapp%2525253Faction%2525253Ditl.riskObject%25252526odf_pk%2525253D5015064%25252526id%2525253D5011042%25252526ui.page.space%2525253Dmainnav.work%25252526tenantId%2525253Dclarity%252526returnUrl%25253Dhttps%2525253A%2525252F%2525252Faccess.cummins.com

Hi Anil,

If IdP is Siteminder, there's no options to prohibit the encoding.

The equal sign after RelayState does not need to be encoded. The RelayState URL value above is triple-encoded?

What's the RelayState value returned after you POST the double-encoded RelayState URL value to IdP?

I would agree URL encode the RelayState value should resolves the issue. It is documented in TEC529287.

Anil, you should double check your encoding as mentioned by others.  I also found an ACO parameter which may help, but it was designed for windows agent, you may try on any agent though.

How to Allow the NTC to Encode URLs During Redirects to Protected Resources:

DisableI18N

Specifies how the Windows credential collector (NTC) processes the TARGET URL during authentication when the characters of the TARGET URL use HTTP encoding. When the value of this parameter is no, any characters in the URL are decoded during authentication. The decoded characters are used in the redirect to the TARGET resource. When the value of this parameter is yes, characters in the TARGET URL are not decoded during authentication. Any characters using HTTP encoding remain encoded before and after authentication.

Default: No.

Hi,

Please URL-encode the RelayState value.

I hope this would help.

Regards,

Koichi

Did you try setting SecureURLs parameter to YES ?