Issue:
We're running a Federation Partnership using SAML2 and HTTP POST, and
when the application does the POST, the RelayState is lost when the
user is being redirected to the backend application.
Can you explain us why ? How can we solve this ?
Environment:
Policy Server 12.52SP1CR00 on Windows 2008R2;
Cause:
You aren't using a Session Store for the Partnership. As per the
documentation, you do need to run one with the Policy Server
As the requests are IdP initiated, the Session Store should be enabled
on the IdP to be able to handle the requests using HTTP-POST:
"Important! Before you configure the authentication request binding,
enable the session store. For the IdP to handle an authentication
request that is delivered using HTTP-POST binding, the IdP must store
the request in the session store."
Enable the HTTP-POST Binding at the IdP
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/saml-2-0-feature-configuration/saml-2-0-http-post-binding-configuration#SAML2.0HTTP-POSTBindingConfiguration-EnabletheHTTP-POSTBindingattheIdP
Resolution:
Implement a Session Store with the Policy Server to solve this issue;
KB : KB000094704