Hi,

I have created a SAP Java application with SAML SSO authentication with my third party IdP.

I have configured IdP and SAP to trust each other.

When I try the SP-Initiated SSO all works fine, I get authorized by IdP into my Application.

But the problem starts when I try the IdP-Initiated SSO:

1.1) Firstly I got error about the missing RelayState parameter - "Status 400 - Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it has not received RelayState."

1.2) Ok. I just fetched the RelayState param from SP-Initiated SSO, added it to send it to IdP - to - SP POST message along with SAMLResponse, it worked out, had no more errors and got authotized.

2.1) But after some while I tried again to log in with IdP-Initiated SSO with the same RelayState provided in 1.2. step, but now I got this error -

"HTTP Status 400 - Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it could not get the RelayState value from the request."

or

"HTTP Status 400 - Service Provider endpoint saml2/sp/acs could not redirect to original application URL because it could not convert the received RelayState to original application URL.".

But I see that in the POST message I have passed the RelayState to the SAP.

2.2) So if the RelayState was passed to the SAP in POST message, then I tried SP-Initiated SSO to get the RelayState again, and now the RelayState value was different to the same application than in the 1.2 step before.

So I have a questions:

Q1) does the SAP even support SAML IdP-Initiated SSO ?

Q2) If Q1 answer is YES, then what value should I pass with the RelayState param? I can not find any static RelayState param in my Application configuration. Or I can pass just application URL (not encoded) as RelayState value?

Please help me.

Regards,

Maris