There is a difference in relay state encoding introduced in 21.3.1 Oct 2022 release. So if there are two VSA Gateways, and one of them is on this higher version and this gateway is set as the ACS url on the idp – you would end up observing the below error (say GW1 is on lower version than GW2 and GW2 is configured as the acs url)
On GW1
vsm-vcsn0> show saccess session history id 14960
ID : 14960
Timestamp : 2022-10-14 21:16:31.276
Tenant : PSI
Source IP : 150.129.102.229
Request ID :
Current index : 0
Next index : -1
Service,
URI : gateway
Username : [email protected]
Action : prelogin
Auth profile : PSI-Authentication-Profile
Auth method : saml
Auth cache : IP_based
OTP profile :
OTP type :
Temp pwd prof :
Public IP :
Private IP : 192.168.1.11
IPSEC profile id : PSI-Access
RTT :
Tunnel IP :
EAP ID : [email protected]
Policy,
Evaluated : no
User ID count : 0
HTTP Request,
Method : GET
URI : '/secure-access/services/gateway?action=prelogin&ent_name=PSI&username=versa.psi%40praweda.id&os_type=Windows_10_Pro&os_version=v-2009+b-19044.2006&client_version=7.5.7&ep_protection=Windows+Defender&cb_url=com.versa.sase%3A%2F%2FsecureAccessClient&ipsec_profile_id=PSI-Access&private_ip=192.168.1.11&eap_id=versa.psi%40praweda.id&detect_trusted_network=true'
Query-params,
ent_name : PSI
action :
latitude : 9.3842
longitude : 76.5795
os_type : Windows_10_Pro
os_version : v-2009 b-19044.2006
client_version : 7.5.7
isp : Alliance Broadband Services Pvt. Ltd.
ep_protection : Windows Defender
uuid :
cb_url : com.versa.sase://secureAccessClient
cookie :
look_for_best :
req_device_id :
req_eip_info :
tunnel_count :
force_auth :
detect_trusted_network : true
preferred_gw_fqdn :
preferred_gw_ip :
api_version :
tunnel_ip :
sess_token :
Headers,
host : psi-02.versanow.net
Body : ''
HTTP Response,
Code : 307
UUID : bad2edcdabae6113
Headers,
auth_basic : no
auth_negotiate : no
---------------------
As per below error GW2 gateway is not able to extract the domain and uuid from the saml response.
------------------------------------
vsm-vcsn0> show saccess session history id 13282 <<<< From SIN-VGW-02
ID : 13282
Timestamp : 2022-10-14 21:16:33.517
Tenant : INVALID
Source IP : 150.129.102.229
Request ID :
Current index : -1
Next index : -1
Service,
URI : unknown
HTTP Request,
Method : POST
URI : '/secure-access/services/saml/login-consumer'
Query-params,
ent_name :
action :
latitude :
longitude :
os_type :
os_version :
client_version :
isp :
ep_protection :
uuid : psi-02.versanow.n
cb_url :
cookie :
look_for_best :
req_device_id :
req_eip_info :
tunnel_count :
force_auth :
detect_trusted_network :
preferred_gw_fqdn :
preferred_gw_ip :
api_version :
tunnel_ip :
sess_token :
qr_over_mail :
Headers,
host : psi-01.versanow.net
Body : 'SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8%2BPHNhbWwycDpSZXNwb25zZSB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgRGVzdGluYXRpb249Imh0dHBzOi8vcHNpLTAxLnZlcnNhbm93Lm5ldC9zZWN1cmUtYWNjZXNzL3NlcnZpY2VzL3NhbWwvbG9naW4tY29uc3VtZXIiIElEPSJfNWY0NmU0YmI4Y2E1Y2Q4MDA2NTUyNDIwY2E2MjNjYTkiIEluUmVzcG9uc2VUbz0iR29vZ2xlLVNBTUxfOGE2NDZiNGJkNWY5MTM5N2I4OWU5NjlhY2FiMGU4MjYiIElzc3VlSW5zdGFudD0iMjAyMi0xMC0xNFQyMToxNjoyMC4zODhaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL3NhbWwyP2lkcGlkPUMwNGp5YjNjNTwvc2FtbDI6SXNzdWVyPjxzYW1sMnA6U3RhdHVzPjxzYW1sMnA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8%2BPC9zYW1sMnA6U3RhdHVzPjxzYW1sMjpBc3NlcnRpb24geG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfOWFiZTRkOWIyNDNlN2VkMGZmNjM0M2E5ZTJkY2ZiYjIiIElzc3VlSW5zdGFudD0iMjAyMi0xMC0xNFQyMToxNjoyMC4zODhaIiBWZXJzaW9uPSIyLjAiPjxzYW1sMjpJc3N1ZXI%2BaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vc2FtbDI%2FaWRwaWQ9QzA0anliM2M1PC9zYW1sMjpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjXzlhYmU0ZDliMjQzZTdlZDBmZjYzNDNhOWUyZGNmYmIyIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU%2BMEdOY2N0TllvNmdybForOTROUTdnOWwyZGduN3dHVzFYbmhEbkk5WXlaaz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BRGo5KzJVL1o2MXJ6YmJqMkVINXJ5UjVORG5MV00rL2cwODVTVXU0UlBYSHN5c2RvSGlwVHNudUlBeHdDdkJ1eE5UYTEwTm9zTU5jbQpVNjB5RTBQT293eFNVR2lvc1h5eXUvRUxQUlVTamZsRGllK1F0SGJGNTg5a0xjeGRWWE9wMGpiSDkwdzI2VGdGUVNTaU1ITnRGaWxzClJ3U3Znc3c0eDhhaDc3MmVncFpSQTM4ZXBTUWJFdkdHdWJiSHFGbzl4ZUNXWWpVY2ZmWGhVOWx4L1MvUFdHaEVKTkx6emI4T1hTOVMKQXhmRm55c0NSbDViYTRjTDN2dWJudlcreUpJc2l0ZVFMT283UXQ4U3hHSWNiRG84aC9RMEQ0cCtpUDViaWZQRVJkamlXOTJJdEtzVApmSFhDWllINEhMTGN6WEMxNnpzeXBNbkRCOXZJRXpFL1pKVzRkUT09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE%2BPGRzOlg1MDlTdWJqZWN0TmFtZT5TVD1DYWxpZm9ybmlhLEM9VVMsT1U9R29vZ2xlIEZvciBXb3JrLENOPUdvb2dsZSxMPU1vdW50YWluIFZpZXcsTz1Hb29nbGUgSW5jLjwvZHM6WDUwOVN1YmplY3ROYW1lPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJRGREQ0NBbHlnQXdJQkFnSUdBV0hmNW02Yk1BMEdDU3FHU0liM0RRRUJDd1VBTUhzeEZEQVNCZ05WQkFvVEMwZHZiMmRzWlNCSgpibU11TVJZd0ZBWURWUVFIRXcxTmIzVnVkR0ZwYmlCV2FXVjNNUTh3RFFZRFZRUURFd1pIYjI5bmJHVXhHREFXQmdOVkJBc1REMGR2CmIyZHNaU0JHYjNJZ1YyOXlhekVMTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXdIaGNOTVRnd016QXgKTURRMU1URTFXaGNOTWpNd01qSTRNRFExTVRFMVdqQjdNUlF3RWdZRFZRUUtFd3RIYjI5bmJHVWdTVzVqTGpFV01CUUdBMVVFQnhNTgpUVzkxYm5SaGFXNGdWbWxsZHpFUE1BMEdBMVVFQXhNR1IyOXZaMnhsTVJnd0ZnWURWUVFMRXc5SGIyOW5iR1VnUm05eUlGZHZjbXN4CkN6QUpCZ05WQkFZVEFsVlRNUk13RVFZRFZRUUlFd3BEWVd4cFptOXlibWxoTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBcjhRd2dQZE9GQWNGRFhiWlU1SkE2QWJtOEhQV0hBWFJWTVNSaWx4bUlIbkVxdVpoVTVxOENsWDJnTFE1K2IxTwpzZjhpNVQ3ZURQbFZOWlB3eFNOVXo1SVhKOXJoeGIwN3RzY0g2azIyWGlsSklkbXZBQXAvZFdYMjN0OGtaMW93L29JblRzRnZqVUxNClFUL2dBcng1bVZTRXphQjR1d3plRTBqMHZZWDdid0ZhWm12a1VHd2lYbVc0SFJWaDkwMFJNRkNvbW9sU0FMOXlVYkZ3YUxMQjhsVHYKcTJ5Yysyai9TbjY1cmszVTN1d3NVeFFUQ0huNElKQUpBeVJQU1ZZSUhKN0l0cm1BTEZSdW9TSm5UNmo2TXhacmxMa3pvVmxKTW5SVApud3orRUEyQnoxOUR0N2RUY0FyNmwyQ0tLcC9oL1JXWkpkVkVTTkYwRmJMWjR1eWxJd0lEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBCkE0SUJBUUJKQ21zK0ttaHpNVC93aFQ2NDFUQVJnbUpIRlZudWFncG95eGs4SzNPaE05TnlnbVd3M3dmajN4SnVQUUV0MVlzMXorM1gKSWJ0OGk4LzYyWmZpM2pwKzE4YWpuWDBQZm1tNGRJUDM0cXNhRkNSaFpZcDZzeW03N1EzREovazBXRTYxcmR5cUl6dCtzVE5LY1pBdQphdm1DNy9HbWJxMTBYTXlWQ2g2SHV3QzNiNmlvNHZBZ3U0djlqMTMxQ0hPRXliaXFOdDJxV2FGdnQrdlFTK3JNaWI0R3BwV01qbUltCi9lZHQ1Y2NOQkJCSis3clp3OFQ2VDJORktIYVNTUDJYVzJPZEhkaXlxcmRtMEs2am5qUC9kUVpGbDJxSFJuRDJLTjhUL1A3WldTK24KcXJMZU8xdG1jNFhPbUJPaHZicHk4bVZiejFGVUp0dkhjWkNjSHEyVk53akc8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj52ZXJzYS5wc2lAcHJhd2VkYS5pZDwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iR29vZ2xlLVNBTUxfOGE2NDZiNGJkNWY5MTM5N2I4OWU5NjlhY2FiMGU4MjYiIE5vdE9uT3JBZnRlcj0iMjAyMi0xMC0xNFQyMToyMToyMC4zODhaIiBSZWNpcGllbnQ9Imh0dHBzOi8vcHNpLTAxLnZlcnNhbm93Lm5ldC9zZWN1cmUtYWNjZXNzL3NlcnZpY2VzL3NhbWwvbG9naW4tY29uc3VtZXIiLz48L3NhbWwyOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sMjpTdWJqZWN0PjxzYW1sMjpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAyMi0xMC0xNFQyMToxMToyMC4zODhaIiBOb3RPbk9yQWZ0ZXI9IjIwMjItMTAtMTRUMjE6MjE6MjAuMzg4WiI%2BPHNhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPHNhbWwyOkF1ZGllbmNlPmh0dHBzOi8vdmVyc2EtbmV0d29ya3MuY29tL21ldGFkYXRhPC9zYW1sMjpBdWRpZW5jZT48L3NhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPC9zYW1sMjpDb25kaXRpb25zPjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJlbWFpbCI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOmFueVR5cGUiPnZlcnNhLnBzaUBwcmF3ZWRhLmlkPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48L3NhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDIyLTEwLTEzVDE5OjE5OjIwLjAwMFoiIFNlc3Npb25JbmRleD0iXzlhYmU0ZDliMjQzZTdlZDBmZjYzNDNhOWUyZGNmYmIyIj48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sMjpBdXRobkNvbnRleHQ%2BPC9zYW1sMjpBdXRoblN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj48L3NhbWwycDpSZXNwb25zZT4%3D&RelayState=psi-02.versanow.net%3Abad2edcdabae6113%3A'
HTTP Response,
Code : 404
UUID :
Headers,
auth_basic : no
auth_negotiate : no
location : no
Body : ''
Logs,
saccess_service_process_saml_resp: SAML response for domain '' and uuid 'psi-02.versanow.net:bad2edcdabae6113:' and reqid ''
saccess_service_process_saml_resp: tnt-id not found for uuid:psi-02.versanow.net:bad2edcdabae6113: