IBM Security Verify

Hi,
 
We are trying to setup a federation between ISVA and AzureAD using Federation with a SAML/WS-Fed identity provider (IdP) for B2B - Azure AD | Microsoft Docs.

In this scenario, ISVA act as IdP and AzureAD as SP.

During SP-Initiated connection, after the authentication with ISVA, we are redirected to AzureAD but the connection fail with a syntax error.

AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid

After analyzing the logs, we notice that the RelayState attribute is modified by ISVA when returned to AzureAD.

Example:

From AzureAD(SP) SAML Request

RelayState: estsredirect=2&estsrequest=rQIIAYWSvYvbZgDGLfvOvVxJcimldAghQwshQfIrv7JsGQrRWT7

From ISVA(IDP) SAML Response

RelayState: estsredirect=2&estsrequest=rQIIAYWSvYvbZgDGLfvOvVxJcimldAghQwshQfIrv7JsGQrRWT7

The ampersand is modified from & to & most likely via HTML Encode.

This RelayState need to be returned unmodified as per SAML standard and we think that's might be the cause of the problem.

Obviously, we don't have access to modify AzureAD (SP) request to remove ampersand for example.

I found that post related to special character and Relaystate and I'm wondering if that could be related.

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=1a65f2c6-7e11-44a8-8d6d-e68dddf79f13&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer#bm1a65f2c6-7e11-44a8-8d6d-e68dddf79f13

We are using ISVA 10.0.1.0

Hi,
 
We are trying to setup a federation between ISVA and AzureAD using Federation with a SAML/WS-Fed identity provider (IdP) for B2B - Azure AD | Microsoft Docs.

In this scenario, ISVA act as IdP and AzureAD as SP.

During SP-Initiated connection, after the authentication with ISVA, we are redirected to AzureAD but the connection fail with a syntax error.

AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid

After analyzing the logs, we notice that the RelayState attribute is modified by ISVA when returned to AzureAD.

Example:

From AzureAD(SP) SAML Request

RelayState: estsredirect=2&estsrequest=rQIIAYWSvYvbZgDGLfvOvVxJcimldAghQwshQfIrv7JsGQrRWT7

From ISVA(IDP) SAML Response

RelayState: estsredirect=2&estsrequest=rQIIAYWSvYvbZgDGLfvOvVxJcimldAghQwshQfIrv7JsGQrRWT7

The ampersand is modified from & to & most likely via HTML Encode.

This RelayState need to be returned unmodified as per SAML standard and we think that's might be the cause of the problem.

Obviously, we don't have access to modify AzureAD (SP) request to remove ampersand for example.

I found that post related to special character and Relaystate and I'm wondering if that could be related.

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=1a65f2c6-7e11-44a8-8d6d-e68dddf79f13&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer#bm1a65f2c6-7e11-44a8-8d6d-e68dddf79f13

We are using ISVA 10.0.1.0