Hi,
We are trying to setup a federation between ISVA and AzureAD using Federation with a SAML/WS-Fed identity provider (IdP) for B2B - Azure AD | Microsoft Docs.
In this scenario, ISVA act as IdP and AzureAD as SP.
During SP-Initiated connection, after the authentication with ISVA, we are redirected to AzureAD but the connection fail with a syntax error.
AADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid
After analyzing the logs, we notice that the RelayState attribute is modified by ISVA when returned to AzureAD.
Example:
From AzureAD(SP) SAML Request
RelayState: estsredirect=2&estsrequest=rQIIAYWSvYvbZgDGLfvOvVxJcimldAghQwshQfIrv7JsGQrRWT7
From ISVA(IDP) SAML Response
RelayState: estsredirect=2&estsrequest=rQIIAYWSvYvbZgDGLfvOvVxJcimldAghQwshQfIrv7JsGQrRWT7
The ampersand is modified from & to & most likely via HTML Encode.
This RelayState need to be returned unmodified as per SAML standard and we think that's might be the cause of the problem.
Obviously, we don't have access to modify AzureAD (SP) request to remove ampersand for example.
I found that post related to special character and Relaystate and I'm wondering if that could be related.
https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=1a65f2c6-7e11-44a8-8d6d-e68dddf79f13&CommunityKey=e7c36119-46d7-42f2-97a9-b44f0cc89c6d&tab=digestviewer#bm1a65f2c6-7e11-44a8-8d6d-e68dddf79f13
We are using ISVA 10.0.1.0
------------------------------
Denis Rainville
------------------------------