Symantec Access Management

Issue:

We're running a Federation Partnership using SAML2 and HTTP POST, and
when the application does the POST, the RelayState is lost when the
user is being redirected to the backend application.

Can you explain us why ? How can we solve this ?

Environment:

Policy Server 12.52SP1CR00 on Windows 2008R2;

Cause:

You aren't using a Session Store for the Partnership. As per the
documentation, you do need to run one with the Policy Server

As the requests are IdP initiated, the Session Store should be enabled
on the IdP to be able to handle the requests using HTTP-POST:

"Important! Before you configure the authentication request binding,
enable the session store. For the IdP to handle an authentication
request that is delivered using HTTP-POST binding, the IdP must store
the request in the session store."

Enable the HTTP-POST Binding at the IdP

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/partnership-federation/saml-2-0-feature-configuration/saml-2-0-http-post-binding-configuration#SAML2.0HTTP-POSTBindingConfiguration-EnabletheHTTP-POSTBindingattheIdP

Resolution:

Implement a Session Store with the Policy Server to solve this issue;

KB : KB000094704

Hello Patrick-Dussault,

You can mentioned "As the requests are IdP initiated, the Session Store should be enabled" , I suppose you mean when the request are SP Initiated and SP sends the Authn Request through Post ? Or i am missing something here?

Thank You

Ankur Taneja

Hi Ankur,

Indeed, HTTP POST binding will start at SP side. Then the session store should be enabled at IdP side to store the request.

Hope this bring precision

Patrick