Service Provider (SP) Initiated (SAML SSO process started by browsing to the web or admin client first):
In a typical SAML Scenario that is initiated by user going to the web client or admin client portal, where the URL they tried to access is defined as the relayState by GoAnywhere. This should not cause this type of error.
Identity Provider (IDP) Initiated (SAML SSO process started by accessing the IDP first):
In a typical SAML Scenario that is initiated by the IDP, then it is defined within the IDP as part of the URL. See resolution below
Assuming SAML SSO is initiated from the IDP as defined above, the URL defined within the IDP configuration for SAML should simply apply a dummy parameter to the end of the URL. For example: ?relayState=xyz or &relayState=xyz (in some situations).
Explanation of relayState usage in GoAnywhere:
Due to the complexities within GoAnywhere, mainly that all users don’t have access to all pages, the relayState is not adhered to but is a necessary parm. Within the Admin Client using SAML we always forward them to the Dashboard. Within the Web Client using SAML we always forward them to their defined landing page preference.
Ideally we could remove the requirement of a relayState as we are not using it. However it is required as part of the specification and is required to be passed along to the IDP from the SP when SAML is initiated by the SP so thus we have not removed it.