lscharen

RelayState error using AD FS 3 for Enterprise Login

Discussion created by lscharen on Mar 29, 2016


We recently encountered an error where iOS devices were failing to log into a newly set up AD FS endpoint with a rather cryptic error: "The required parameter RelayState was missing or invalid".  The error was appearing in the AD FS event logs on the window server.

 

It appears that this error is usually caused by the SAML cookies exceeding the 4kb cookie limit , which results in a truncated cookie being sent to the endpoint, which is certainly invalid.

 

ADFS 2.0 Web SSO not working in current versions of Safari for Windows or iOS

 

It turned out that the workaround to the problem was to uncheck the settings under Enterprise Login advanced settings

  • Encrypt Assertion
  • Enable Signed Request
  • Propagate logout to Identity Provider

 

For some reason, enabling all of these options resulted in cookies that were too large and caused the failures.  Hopefully this information can help others who run into the same issue.

Outcomes