SecureAuth IdP Version Affected: 9.1.0-45 and lower, 9.2.0-18 and lower, 9.3.0-3 and lower
When a realm redirects a browser within a realm (e.g. if a begin site like WinSSO is being used) or to another realm (e.g. using adaptive authentication) each step will put the query string through another round of URL encoding without checking to see if the query string is already URL encoded.
This can lead to double URL encoded or even multiple URL encoded query strings, that can break things like SAML requests (which are contained within the query string) and prevent them from working.
How this manifests differs but frequently it can lead to either looping between realms and service providers or even other realms.
The diagnosis can be confirmed by opening Developer Tools in the browser and reviewing the network tab. Something resembling the following will be evident showing progressive URL encoding taking place:
Product defects EE-991 (for IdP 9.1) and EE-937 (for IdP 9.2)
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.