Anonymous_User Absent Member.
Absent Member.
1052 views

IDP Initiated SSO & TARGET Parameter


Hi All,

Happy New Year!

I have an issue with an IDP initiated SSO url, where I'm using the
"TARGET" parameter to include a relaystate value in the saml token
asserted to the Service Provider.

The issue I'm having is the TARGET relaystate value contains multiple
ampersand characters, and the information after the first ampersand is
always dropped;

Service Provider URL = http://tinyurl.com/gocusup

So the relaystate value in the saml token always ends up as
https://serviceprovider.com/value/value?RootNodeID=-1.

The complete URL i'm using for the IDP initiated SSO is as follows;

https://<<BASE-IDP_URL>>/nidp/app/login?id=<<CONTRACT>>&target=https%3A%2F%2F<<BASE-IDP-URL>>%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3D<<URL
ENCODED HTTPS ENTITY ID
VALUE>>%26TARGET%3Dhttps%3A%2F%2Fserviceprovider.com/value/value%3FRootNodeID=-1%26NodeID=186%26UserMode=0

I've had various attempts at using just the path of the resource instead
of the full url (ie,
/value/value%3FRootNodeID=-1%26NodeID=186%26UserMode=0), encoding the
forward slashes (%2F) and equal signs (%3D) and other attempts to get
this working, but the TARGET relaystate value always stops after the
first ampersand
(https://serviceprovider.com/value/value?RootNodeID=-1).

NAM version is 4.0.1-88 + HF1-93, HF2-107.

Is their something I'm missing?


--
gbatty1
------------------------------------------------------------------------
gbatty1's Profile: https://forums.netiq.com/member.php?userid=2072
View this thread: https://forums.netiq.com/showthread.php?t=55088

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: IDP Initiated SSO & TARGET Parameter

gbatty1 wrote:

>
> Hi All,
>
> Happy New Year!
>
> I have an issue with an IDP initiated SSO url, where I'm using the
> "TARGET" parameter to include a relaystate value in the saml token
> asserted to the Service Provider.
>
> The issue I'm having is the TARGET relaystate value contains multiple
> ampersand characters, and the information after the first ampersand is
> always dropped;
>
> Service Provider URL = http://tinyurl.com/gocusup
>
> So the relaystate value in the saml token always ends up as
> https://serviceprovider.com/value/value?RootNodeID=-1.
>
> The complete URL i'm using for the IDP initiated SSO is as follows;
>
> https://<<BASE-IDP_URL>>/nidp/app/login?id=<<CONTRACT>>&target=https%3
> A%2F%2F<<BASE-IDP-URL>>%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3D<<URL
> ENCODED HTTPS ENTITY ID
> VALUE>>%26TARGET%3Dhttps%3A%2F%2Fserviceprovider.com/value/value%3FRoo
> tNodeID=-1%26NodeID=186%26UserMode=0
>
> I've had various attempts at using just the path of the resource
> instead of the full url (ie,
> /value/value%3FRootNodeID=-1%26NodeID=186%26UserMode=0), encoding the
> forward slashes (%2F) and equal signs (%3D) and other attempts to get
> this working, but the TARGET relaystate value always stops after the
> first ampersand
> (https://serviceprovider.com/value/value?RootNodeID=-1).
>
> NAM version is 4.0.1-88 + HF1-93, HF2-107.
>
> Is their something I'm missing?


OK, i just tried this on NAM 4.2 (sorry, don't have a 4.0 lab) and this
Intersite transfer service URL worked for me:

https://amc.site.com/nidp/saml2/idpsend?PID=sp1&TARGET=https://sp1.site.
com/saml/sso?paramA%3D1%26paramB%3DB%26paramC%3DC

I encoded the query string but not the first ? that starts the query
string.





--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDP Initiated SSO & TARGET Parameter


Edward van der Maas;263938 Wrote:
> gbatty1 wrote:
>
> OK, i just tried this on NAM 4.2 (sorry, don't have a 4.0 lab) and this
> Intersite transfer service URL worked for me:
>
> http://tinyurl.com/zxhq52h.
> com/saml/sso?paramA%3D1%26paramB%3DB%26paramC%3DC
>
> I encoded the query string but not the first ? that starts the query
> string.
> --
> Cheers,
> Edward


Hi Edward,

Out of interest, can you try and use a particular authentication
contract, similar to how I am, and let me know if the relaystate is
passed as expected in NAM 4.2?


--
gbatty1
------------------------------------------------------------------------
gbatty1's Profile: https://forums.netiq.com/member.php?userid=2072
View this thread: https://forums.netiq.com/showthread.php?t=55088

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDP Initiated SSO & TARGET Parameter

gbatty1 wrote:

>
> Edward van der Maas;263938 Wrote:
> > gbatty1 wrote:
> >
> > OK, i just tried this on NAM 4.2 (sorry, don't have a 4.0 lab) and
> > this Intersite transfer service URL worked for me:
> >
> > http://tinyurl.com/zxhq52h.
> > com/saml/sso?paramA%3D1%26paramB%3DB%26paramC%3DC
> >
> > I encoded the query string but not the first ? that starts the query
> > string.
> > --
> > Cheers,
> > Edward

>
> Hi Edward,
>
> Out of interest, can you try and use a particular authentication
> contract, similar to how I am, and let me know if the relaystate is
> passed as expected in NAM 4.2?


Using a similar url as you are using:
https://amc.site.com/nidp/app/login?id=contract1&target%3Dhttps%3A%2F%2F
amc.site.com%2Fnidp%2Fapp%2Fidpsend%3FPID%3Dsp1%26TARGET%3Dhttps%3A%2F%2
Fsp1.site.com%2Fsaml%2Fsso%3FparamA%3D1%26paramB%3DB%26paramC%3DC

After authentication it doesn't get past the IDP. It just says my
session has been authenticated. The best way is to use the step-up
authentication.

--
Cheers,
Edward
0 Likes
gbatty1 Trusted Contributor.
Trusted Contributor.

Re: IDP Initiated SSO & TARGET Parameter


Edward van der Maas;264458 Wrote:
> gbatty1 wrote:
>
> >
> > Edward van der Maas;263938 Wrote:
> > > gbatty1 wrote:
> > >
> > > OK, i just tried this on NAM 4.2 (sorry, don't have a 4.0 lab) and
> > > this Intersite transfer service URL worked for me:
> > >
> > > http://tinyurl.com/zxhq52h.
> > > com/saml/sso?paramA%3D1%26paramB%3DB%26paramC%3DC
> > >
> > > I encoded the query string but not the first ? that starts the query
> > > string.
> > > --
> > > Cheers,
> > > Edward

> >
> > Hi Edward,
> >
> > Out of interest, can you try and use a particular authentication
> > contract, similar to how I am, and let me know if the relaystate is
> > passed as expected in NAM 4.2?

>
> Using a similar url as you are using:
> http://tinyurl.com/hqxzfal
> amc.site.com%2Fnidp%2Fapp%2Fidpsend%3FPID%3Dsp1%26TARGET%3Dhttps%3A%2F%2
> Fsp1.site.com%2Fsaml%2Fsso%3FparamA%3D1%26paramB%3DB%26paramC%3DC
>
> After authentication it doesn't get past the IDP. It just says my
> session has been authenticated. The best way is to use the step-up
> authentication.
>
> --
> Cheers,
> Edward



Just to close this off, using the step-up contract here worked
perfectly.


--
gbatty1
------------------------------------------------------------------------
gbatty1's Profile: https://forums.netiq.com/member.php?userid=2072
View this thread: https://forums.netiq.com/showthread.php?t=55088

0 Likes
Knowledge Partner
Knowledge Partner

Re: IDP Initiated SSO & TARGET Parameter


gbatty1;263909 Wrote:
> Hi All,
>
> Happy New Year!
>
> I have an issue with an IDP initiated SSO url, where I'm using the
> "TARGET" parameter to include a relaystate value in the saml token
> asserted to the Service Provider.
>
> The issue I'm having is the TARGET relaystate value contains multiple
> ampersand characters, and the information after the first ampersand is
> always dropped;
>
> Service Provider URL = http://tinyurl.com/gocusup
>
> So the relaystate value in the saml token always ends up as
> https://serviceprovider.com/value/value?RootNodeID=-1.
>
> The complete URL i'm using for the IDP initiated SSO is as follows;
>
> https://<<BASE-IDP_URL>>/nidp/app/login?id=<<CONTRACT>>&target=https%3A%2F%2F<<BASE-IDP-URL>>%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3D<<URL
> ENCODED HTTPS ENTITY ID
> VALUE>>%26TARGET%3Dhttps%3A%2F%2Fserviceprovider.com/value/value%3FRootNodeID=-1%26NodeID=186%26UserMode=0
>
> I've had various attempts at using just the path of the resource instead
> of the full url (ie,
> /value/value%3FRootNodeID=-1%26NodeID=186%26UserMode=0), encoding the
> forward slashes (%2F) and equal signs (%3D) and other attempts to get
> this working, but the TARGET relaystate value always stops after the
> first ampersand
> (https://serviceprovider.com/value/value?RootNodeID=-1).
>
> NAM version is 4.0.1-88 + HF1-93, HF2-107.
>
> Is their something I'm missing?


Are you using the docs to construct the URL? I only ask because I went
through something similar, and the docs were wrong. I have in my notes
the URL format just like yours, but I believe that was either incorrect,
or there's something else you have to do.

I think NetIQ made a TID and/or coolsolutions for doing it "right" and I
think they finally fixed the docs for 4.2 (meaning I *think* the docs
for 4.2 have the correct syntax/structure, even though it should work
for 4.0.x as well).

What we ended up doing is using something like this, instead:

http://tinyurl.com/he6ufjw

The:
INTERSITETRANSFERTHINGY
is a name that you define in the Admin Console -> Identity PRovider
cluster -> Edit -> SAML 2.0 tab
Trusted Providers (select the one you want to edit)
Click the Intersite Transfer Service tab/thingy.
There's a spot where you give it a name and put the URL in there
I checked the box for "allow any target"


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=55088

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: IDP Initiated SSO & TARGET Parameter


kjhurni;263950 Wrote:
>
>
> http://tinyurl.com/he6ufjw
>
>


You still have the problem when using the ITS URL as per the doco that
the OP is describing. When you define this as a target:
https://targetURL/saml/sso?paramA=1&paramB=2&paramC=3

The relayState then gets set to https://targetURL/saml/sso?paramA=1. For
whatever reason NAM is omitting/ignoring additional query string
parameters.


Cheers,
Edward


--
edmaa
------------------------------------------------------------------------
edmaa's Profile: https://forums.netiq.com/member.php?userid=1118
View this thread: https://forums.netiq.com/showthread.php?t=55088

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.