SAML Single Sign On - No RelayState parameter found

View some of the Frequently Asked Questions to our support staff. Included are some tips and tricks making this forum ideal for users getting started with GoAnywhere MFT. Note: Users can reply to existing topics but only our support staff can add new topics to this forum.
1 post Page 1 of 1

Support_Jerrod

Support Specialist
Posts: 11
Joined: Wed Dec 13, 2017 5:52 pm

Post by Support_Jerrod » Thu Jun 13, 2019 9:14 am
This error on the screen or in the GoAnywhere.log indicates the SAML ID Provider (IDP) is not providing a relayState parameter. This parameter is needed in GA MFT and is part of the SAML specification. The relayState parameter is meant to indicate where the user should end up after authenticating with IDP.

Service Provider (SP) Initiated (SAML SSO process started by browsing to the web or admin client first):
In a typical SAML Scenario that is initiated by user going to the web client or admin client portal, where the URL they tried to access is defined as the relayState by GoAnywhere. This should not cause this type of error.

Identity Provider (IDP) Initiated (SAML SSO process started by accessing the IDP first):
In a typical SAML Scenario that is initiated by the IDP, then it is defined within the IDP as part of the URL. See resolution below

Resolution:
Assuming SAML SSO is initiated from the IDP as defined above, the URL defined within the IDP configuration for SAML should simply apply a dummy parameter to the end of the URL. For example: ?relayState=xyz or &relayState=xyz (in some situations).

Explanation of relayState usage in GoAnywhere:
Due to the complexities within GoAnywhere, mainly that all users don’t have access to all pages, the relayState is not adhered to but is a necessary parm. Within the Admin Client using SAML we always forward them to the Dashboard. Within the Web Client using SAML we always forward them to their defined landing page preference.

Ideally we could remove the requirement of a relayState as we are not using it. However it is required as part of the specification and is required to be passed along to the IDP from the SP when SAML is initiated by the SP so thus we have not removed it.
Jerrod Foster
Support Analyst

e. [email protected]
p. 1.800.949.4696
w. HelpSystems.com
1 post Page 1 of 1