on 05-02-2018 7:20 PM
Hello,
As far as I can tell so far, SAML authentication is correctly configured on the service provider and identity provider side. Our IdP is ADFS.
The problem is after the user is authenticated, the user gets the screen with error message "No default application path is configured for ACS endpoint". If I then re-enter the original URL in the browser, the application is loaded as expected, without any errors (this is how we know SAML authentication is taking place successfully).
If I update the SAML configuration by entering a Default Application Path at SAML Configuration > Local Provider tab > Service Provider Settings tab > Assertion Consumer Service section, then this default application path is what is loaded after SAML authentication takes place, which clearly is not what we want to happen.
I have looked at the following resources with, but have still not found a solution:
Any help is very much appreciated.
Best regards,
Jill
Hello Jill,
That's the idea of setting up a default application path. It will always redirect to that path.
If it is an IdP-initiated sso, there is no way to know what service will be accessed, because a service wasn't accessed in the SP side yet.
The only way to create this kind of behavior is by using RelayStates with an SP-initiated SSO.
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Geferson,
Thank you for replying, however I'm confused. Our scenario is an SP-initiated SSO, which I thought meant the original URL provided was saved and would be used once SAML authentication had taken place. I also thought it was IP-initiated SSO that required the use of RelatyStates, not SP-initiated SSO.
My understanding of this comes from the following SAP Help document:
Mapping Relay States to Applications
“Use this procedure to protect application URLs when performing identity provider-initiated Single Sign-On (SSO). Security Assertion Markup Language (SAML) 2.0 uses a RelayState parameter to restore the original application URL so that the user can return to the application with a SAML assertion. The RelayState has to be sent from the identity provider as a URL or POST parameter. Exposing the application URL in SAML messages can be a security risk. For service provider-initiated SSO, the service provider saves the URL and places the name of the cookie in the relay state. For identity provider-initiated SSO this option is not available. Instead you can have the identity provider place an alias for the application in the relay state and map the alias to the application on the service provider.”
Perhaps I am misunderstanding the SAP Help document?
Regards,
Jill
Hi Jill,
My bad. I thought you are using IdP initiated.
Anyway, you still need to configure RelayState. The URL is saved in the RelayState cookie and sent to the IdP. The IdP will them return to the correct address.
In the Default Application Path documentation, we have:
"the service provider redirects the requests according to the value of the RelayState parameter. If the identity provider sends a request without a relay state, the service provider redirects the user to the default application path."
That's basically the behavior.
Regards,
Geferson Hess
Hi,
Refer to the example in the link.
Basically, you map a name for an application path.
You can find more information about its functionality here: https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
Regards,
User | Count |
---|---|
84 | |
25 | |
12 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.