cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Relay state does not contain orginal URL cookie

former_member289943
Discoverer

on ‎02-11-2015 3:27 AM

0 Kudos

when I custom my identity provider on hana cloud saml2 sso, configure my trusted identity provider ,then I met a problem:

respond with a document containing an XHTML form:

<form id="samlResponse" data-refreshParent="true"

action="https://accounts.sap.com/saml2/sp/acs/ssocircle.com" method="post">

<input type="text" name="SAMLResponse" id="SAMLResponse"

Value="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVV…" />

<input type="text" name="RelayState"

value='#Scfc5e9e3-a1de-42cf-ad43-2fb5fbce23b9-WwC3wSnsxWUt_bP0Xnuu.QmG14aE44WpfPpW3zdmmEo ' />

<input type="submit" value="Continue" />

</form>

The ssocircle.com is my trusted identity provider name, now I get the following error :

HTTP Status 403 - Relay state does not contain orginal URL cookie.

and anther error is :

HTTP Status 400 - Service Provider endpoint ACS could not redirect to original application URL because it could not convert RelayState received to original application URL.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎02-13-2015 9:50 AM
0 Kudos

Hello,

Relay state cookie is used by SAML 2.0 SP (hana cloud VM in this case) to determine which is the url originally requested.
When SAML 2.0 response arrives on ACS endpoint SAML 2.0 redirects the browser to this url where the SAML 2.0 assertion is evaluated and the user is authenticated.
The name of this relay state cookie is specified in the url parameter RelayState of the SAML authentication request.
The cookie is set in the same SAML 2.0 request. When the IdP returns the response it must return the relay state cookie name as URL parameter.
You can gather http trace and check if the relay state cookie name and check if the relay state name is sent back with the SAML 2.0 response.
Could you please also tell us which is the HANA runtime that you are using in your application?

Best regards
Angel

Show replies
Show replies
former_member289943
Discoverer
‎02-11-2015 7:49 AM
0 Kudos

right now,I find my identity provider can't support Signing Certificate,so can't get Metadata,I will make it.

Show replies
Show replies
Ask a Question