Citrix RelayState in response does not match with rule in action please contact your administrator

What is RelayState?

As OASIS describes:

“Sometimes a binding-specific field called RelayState is used to coordinate messages and actions of IdPs and SPs, for example, to allow an IdP (with which SSO was initiated) to indicate the URL of a desired resource when communicating with an SP.”

In other words, RelayState is an URL parameter that we use to say to our Identity Provider where he should send the response back (directly to WebGUI? Fiori? NWBC?…).

Identity Provider-Initiated vs Service Provider-Initiated

To correctly setup the RelayState, you need to understand the difference between IDP-Initiated and SP-Initiated authentication flow.

The SP-Initiated authentication flow is when you type the Service Provider URL and it redirects to the IDP and therefore the IDP knows who is initiating the SAML authentication flow. This is important because the Identity Provider can serve more than one SP, so he knows who is sending the request. We do not need to modify the URL to tell the IDP who we are.

The IDP-Initiated is when you type the IDP URL on the browser and therefore the IDP does not know who is sending the SAMLRequest. That is where the saml2sp comes handy. We can use the http://idpurl?saml2sp=spname. This is described here.

Prerequisites to use RelayState

• You already have a landscape authenticating via SAML2
• You are using an IDP-initiated authentication flow

How to configure RelayState on AS ABAP

1. First, you can open the SAML2 transaction from your AS ABAP through SAPGUI.
2. Click com Service Provider Settings and scroll-down to RelayState Mapping.
3. As you can see, we have two columns: RelayState and Application Path. On the first one you can use any name because it is just an alias (we will use this name as an URL parameter). The second one is the path to your URL/Service (e. g. /sap/bc/…).
4. Therefore, create an alias to your service and specify the path.

1. That is it! You have configured the RelayState. Let’s test it.
2. Type the URL of your IDP using the parameter saml2sp and the RelayState.
3. In my case, it would be: http://myidpurl:50200/saml2/idp/sso?saml2sp=ABAP_N50_SP&RelayState=fiori

1. As you can see, I have been redirected to Fiori and not to the Default path.

Conclusion

To conclude, RelayState is an URL parameter that we can use to redirect the user to a different application after the authentication flow finishes.

References

Security Assertion Markup Language (SAML) V2.0 Technical Overview

Performing Identity Provider-Initiated Single Sign-On

Problem

When you attempt to log in to IBM Engineering Lifecycle Management (ELM) from a non-Jazz Home screen, you are not automatically redirected by Jazz Authorization Server (JAS) to your IdP for authentication. You are only redirected when you begin by accessing a secured resource within ELM. Instead, you might receive an error such as:

[ERROR] CWWKS5041E: The expected RelayState parameter was not included in the SAML response message from the IdP.

If you are unable to change the IdP settings to send the RelayState parameter (which might not be permitted), then there is a work-around to change two settings on WebSphere Application Server Liberty.

a. Set useRelayStateForTarget to false.
b. Set the targetPageUrl to the IdP-initiated SSO default landing page

Cause

Either the RelayState parameter must be provided by your IdP, or you need to redirect users by configuring the targetPageUrl setting in WebSphere Application Server Liberty.

Environment

Engineering Lifecycle Management 6.0.1 and higher

Related Information

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"Component":"SAML;JAS","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.1 and higher","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Citrix Workspace for Windows 11

Versions of Citrix Workspace prior to 2019.1 may not be compatible with Windows 11.

All apps:

When accessing files, the following error may appear.

Window title: Restriction

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

This is a known error message with a security policy in place to prevent users from accessing the local drive on the server or prevent saving files to places like the folder. You should use a cloud storage option such as Google Drive or OneDrive in order to avoid losing works in progress on a virtual machine in IUanyWare.

After clicking , the error disappears. You can continue saving your work.

Error message when trying to log into IUanyWare (primarily Chrome browsers)

You see the following message:

"RelayState in Response does not match with rule in Action. Please contact your administrator."

Go to cas.iu.edu/cas/logout, close the browser completely, and then reopen iuanyware.iu.edu.

You can also try clearing your cache and cookies.

Launched application or desktop asks for a Windows login

When clicking to launch an application or desktop, you may be prompted with wording like:

Due to increasing resources for IUanyWare, it may take longer than usual to send the IU login cert to the application or desktop you wish to launch.

1. Click .
2. Type ads\username (replace username with your IU username).
3. Use your IU login credentials to log in.

Receiver and Workspace app for macOS Catalina

All versions of the Citrix Receiver are incompatible with macOS Catalina. Citrix Receiver is a 32-bit app.

The Citrix Workspace app 1906 and older is not supported on macOS Catalina.

Use the Citrix Workspace app 1910.2 or later.

To download the latest version of the Citrix Workspace app, go to Download Citrix Workspace app.

The Palisade Suite in IUanyWare has an expired license. This includes the following applications:

• AtRisk 7
• BigPicture 7
• Evolver 7
• NeuralTools 7
• Ptree 7
• StatTools 7
• TopRank 7

IUanyWare admins have contacted the application owners. The Palisade license may not be renewed for all users in IUanyWare. This issue is still being investigated.

Workspace app or Receiver with scaled or high resolution displays

In Windows, you may experience display issues when using multiple displays with different resolutions or scaling.

Use the latest version of Citrix Workspace app to enable the app to scale the session for high resolution. If you are still using the Citrix Receiver for special use cases or for the LTSR client, this feature is available in Receiver 4.9 and above.

In the system tray, right-click the icon and select . Disconnect from your sessions and reconnect to them for the changes to take effect.

Note: This setting locks the application to a single monitor if the scaling of any monitor is different (it cannot be stretched across multiple displays).

If you experience problems with IUanyWare which you have not encountered before, check to make sure you have the latest version of Citrix Workspace app.

Before you begin, be sure to uninstall your current Citrix Workspace app or Citrix Receiver.

Visit Download Citrix Workspace app from the device experiencing the problem. This site will automatically install the proper version of Citrix Workspace app. Otherwise, it may direct you to the app store for your particular device to search for the latest version of the app.

You see this message:

"This server has an invalid root certificate, so this may be a malicious server. Connection dropped."

Strictly speaking, this is not an issue with IUanyWare.

Citrix Workspace app lacks a Duo interface to let you choose your preferred Duo option. The Workspace app sends Duo Push notifications to your mobile device by default.

Best practice: From a browser, log into iuanyware.iu.edu. Use the Duo interface to choose your preferred Duo option. From the browser's store of apps, you can run applications and desktops from the browser or through the Workspace app on your client.

If you prefer to use the Workspace app directly, and you want to use a token key for your second authentication method, see Logging In With the Citrix Receiver Client.

Audio is enabled on all applications, but some applications (for example, Adobe Audition) will not work through a standard IUanyWare virtual machine.

There is no workaround for this issue.

Voice and video functionality are enabled for Skype for Business through IUanyWare for testing purposes only; these functions are not supported.

If your phone has been converted to Skype for Business, or if you would like to make a video call, UITS recommends that you download the Skype for Business client to your device.

Installing Skype for Business on your local client will also address the other issues listed below, making workarounds unnecessary. For more, see IUanyWare and Skype for Business.

Skype for Business does not sync your address book on initial logon. The sync will randomly occur between 0 and 60 minutes after startup.

Enter your full primary email address.

IUanyWare Skype for Business status shows as "Away" unless you are actively using the Skype for Business application. Since IUanyWare Skype for Business is essentially an RDP connection, unless you are actively engaged in using the application, it will think you are inactive.

Click Skype for Business (gear icon) and select . Set "Show me as Away when my status has been Inactive for this many minutes:" to a longer time period.

When you access Mathematica from the Receiver on an iPad, the Return key does not evaluate an expression the way pressing Enter on a Windows keyboard or Shift-Return on a Mac keyboard does.

Tap and hold Return to access the right-click menu, and select .

When you access Mathematica 9.0 from a computer running later Mac versions, drop-down menus may not consistently appear. Although Wolfram stated that Mathematica 9.0 is not compatible with Citrix, this behavior doesn't occur with IUanyWare on Windows systems.

Click your menu selection three times in rapid succession. If the problem recurs, repeat this process.

Students cannot set the path in MATLAB because they cannot write to the restricted server drive where the application is hosted.

Have a faculty or staff member add the path by adding the path command to a startup.m file in c:\users\username\My Documents\MATLAB.

Packages cannot be installed in R because you cannot write to the restricted server drive where the application is hosted.

For best results, use a Cloud Storage File Share. Always use a cloud storage location when working in IUanyWare. To set up your File Shares for use with IUanyWare, use the Cloud Storage utility.

If while off campus you make a VPN connection via the Juniper SSL VPN tool available on IUware, you may have difficulty connecting or reconnecting to IUanyWare.

To connect to VPN before starting IUanyWare, browse to https://vpn.iu.edu and follow the prompts.

If you are already in IUanyWare when you browse to https://vpn.iu.edu, you will temporarily lose your IUanyWare connection; reconnect to IUanyWare through the browser at iuanyware.iu.edu.

Note: While off campus, VPN is not required to access IUanyWare.

Internet Explorer published in IUanyWare

IUanyWare keeps the published version of Internet Explorer up to date with the latest updates and patches. This can cause issues for websites that are not updated to the latest code. The browser can change modes to be compatible with earlier versions of Internet Explorer. This can fix issues caused by compatibility issues with pages that leverage features of earlier IE versions.

To view the browser mode while in IE 10, press F12. The browser mode will be displayed along the bottom of the window. Select to see a drop-down menu of alternative modes.

Note:

UITS strongly recommends that you use a supported browser, and not Internet Explorer (IE). Microsoft 365 apps and services no longer support Internet Explorer.

Users accessing IUanyWare via their web browsers may encounter the following:

• Prompts to install Workspace app, but the app is installed.
• Applications not launching.

These symptoms may be encountered on one or more browsers.

Internet Explorer 11

Prompts to install or activate Citrix Workspace app, but the app is installed.

1. Add https://iuanyware.iu.edu to the Compatibility View settings website list.
2. For resolution details, see Citrix Support.

Google Chrome

Prompts to install Citrix Workspace app, but the app is installed.

1. Add the IE tab.
2. In the IE Tab Options, add https://iuanyware.iu.edu/* to the Auto URLs.

Passphrases longer than 48 characters

Users with passphrases longer than 48 characters will sometimes see their application launches fail. This has been reported to Citrix, and it is a Citrix issue. UITS has started a ticket asking them to increase this character limit to allow users to use IU's maximum of 127 characters.

To use IUanyWare, reduce passphrase to 48 characters or less.

When printing, the HTML5 Receiver will not inherit the default printer of the local machine.

Choose a printer available in IUanyWare, or save the file to cloud storage or to the local machine to print elsewhere.

When saving, the HTML5 Receiver will not establish read/write access to your local hard drive.

Use a cloud storage or file share option to save your files.

In most cases, when you save a backup of the file, you'll also have an option in the "Save" dialog box to select . When you make this selection, the session will send a copy of the file to the default download folder used by the browser in which you're working.

When using the HTML5 Receiver via Firefox on Windows 10, you will not be able to type the \ (backslash) character in applications or desktops.

Use another browser to access the HTML5 Receiver if you need to be able to type \. Alternatively, you can copy the \ character from within the open IUanyWare application and paste it where desired.