I have SSO/SAML working without a query string in the URL: (https://yourURLHere.com/SiteA/ )
I have an issue when a user logs in with a URL that includes a querystring, the querystring is dropped during SSO redirect. Does SSO/SAML support URLs with querystrings? And/or is there another way to include a querystring at the end of the URL or some other way? Example Query String: https://yourURLHere.com/SiteA/go.aspx?u=/ch/zLAReq&Rid=24288
SAML Software: PingFederate Server
SAML doesn't really care about query strings of your desired resource, but it does have requirements on the various bindings. If you are passing a URL in the RelayState parameter in the POST binding, it will work just fine. If you're using RelayState in Redirect, you need to URL encode it.
PingFederate has some requirements around their use, and, when you think about it, it makes sense. If you are using the IdP Application Endpoint, you are feeding a number of query parameters to the endpoint, but primarily PartnerSpId. If you wish to use the TARGET or TargetResource (or InErrorResource) parameter, then as noted in the documentation, that parameter must be URL encoded. If you don't then Ping assumes that the ? in your https://yoururlhere.com/SiteA/go.aspx?u=/ch/zLAReq&Rid=24288 denotes the beginning of another set of query parameters, none of which does Ping recognize, and so it throws them away.
So, your "corrected" IdP application endpoint URL should look something like this:
https://pfserver.domain.local/idp/startSSO.ping?
PartnerSpId=some:entity:id&
TargetResource=https%3A%2F%2FyourURLHere.com%2FSiteA%2Fgo.aspx%3Fu%3D%2Fch%2FzLAReq%26Rid%3D24288
(note:line breaks added for clarity)
I should also note that the protocol endpoints of /idp/SSO.saml2 and /sp/ACS.saml2 for PingFederate expect pure protocol communication. Anything sent to those endpoints, e.g., an AuthnRequest to /idp/SSO.saml2 or a response to /sp/ACS.saml2 must be SAML2 compliant.
