SAML | This Request will not be considered since passing more parameters to server might result in vulnerability issues.
Issue:
After upgrade, customer might usually face this issue during SAML login:
Trace:
[14:14:03:012]|[10-02-2023]|[com.manageengine.mdh.MDHSettings]|[INFO]|[57303]: Service desk instance ID not found in Cookie|
[14:14:03:012]|[10-02-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[57303]: PORTALID : 1|
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: SdpSecurityFilter called |
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: RequestURI::::::: /HomePage.do|
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: urlRule::::::: URLRule :: path = "/HomePage.do" actionParamName = "action" urlInRegex = "false"|
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: actionParamValue::::::: null|
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: actionRule::::::: ActionRule :: Path : "/HomePage.do" method :"GET"" isCSRFProtected : "false" internal : "false" trusted : "false" roles : "" dynamicParams : "false" api : "false" isc : "false" authentication : "required" throwAllErrors : "false" urlXSSValidation : "true" ipBlockCheck : "false" loginThrowError : "false "" iscScope : "null" runAsGroupIdParam : "null" runAsGroupTypeParam : "null "isThrottlesConfigured : "true "dynamic-throttles : "false|
[14:14:03:012]|[10-02-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[57303]: PORTALID : 1|
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: SdpSecurityFilter called |
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: RequestURI::::::: /Error|
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: urlRule::::::: URLRule :: path = "/Error" urlInRegex = "false"|
[14:14:03:012]|[10-02-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[57303]: actionParamValue::::::: null|
Root Cause:
This issue occurs when end users bookmark old SDP urls with parameters in the URL that are now unsupported (and considered extra parameter)
Solution:
Check if the customers are using a bookmark or a button from another portal/website where SDP's URL is predefined with the extra params. Ask them to remove the extra parameters from the bookmark or if it's an external website, ask the admin to remove the extra parameter from the SDP URL.
New to ADSelfService Plus?
Related Articles
SAML Auto Login with ADFS (in Intranet)
Steps to enable Auto-logon: Step 1: In the AD FS server, under Authentication Methods, make sure that Windows Authentication is selected. Step 2: Run the below powershell query to check if "Chrome" is present in the supported WIA agents: ...SAML | Multiple Login URLs for SAML Response
Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...Login diectly with SAML / Query to enable AD or Local Auth when there is an issue with SAML
Issue: When users have AD and/or local authentication enabled along with SAML, the login page is shown when a link from an email is clicked and users need to click "Login with SAML" again. Workaround 1: You can bookmark, <sdp_url>/SamlRequestServlet ...How to configure SAML with Azure AD
This guide will help us configure SAML for users who want to use Azure AD as their IdP and also give you insights on a few issues that you might run into while configuring SAML in an Azure Environment. In an ideal environment, customers will have an ...SAML with ICAM as IdP in ServiceDesk Plus
The SAML NameID policy must either be unspecified (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified) or emailAddress (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress). WantAssertionsSigned="true" AND AuthnRequestsSigned="true" must be set ...