I was having the same problem / receiving the same error messages. I can confirm that the Default Relay State should be blank in the SSO config and it is not a requirement for CPPM.
My issue turned out to be DNS related. While I did add the URL that I use to log into CPPM with under the SAML Requestable SSO URLs, after a successful SAML auth, when CPPM tries to redirect you back to the originally requested CPPM page, it defaults to the Hostname in the browser URL if there is no FQDN defined in CPPM. After I added a DNS record for the hostname of my CPPM and added the hostname as a Requestable SSO URL in OKTA, the "RelayState missing/invalid" error went away, and I was redirected to CPPM.
The caveat with this is, the hostname defined on my CPPM is a different domain than my HTTPS cert. So while the above workflow worked, I did receive a cert error on the final redirect to CPPM. This was easily fixed by adding an FQDN on CPPM / Server Config with a DNS name that my client can resolve and trust via CPPM's HTTPS cert.
After updating the FQDN, I was able to remove the CPPM hostname defined in the SAML Requestable SSO URLs and my client was able to login in end-to-end with no cert errors.
Sent: Oct 14, 2020 12:59 PM
From: ajamu abraham
Subject: Okta Onboarding giving "RelayState missing" error
I have been trying to configure Clearpass and Okta to be able to enable Onboarding process. Currently we are buying Clearpass but I am testing on the evaluation license POC how this will work when we deploy in production. The way I thought this might work is that after i configure the settings our users will be able to see a Clearpass Onboard icon in their Okta dashboard that will give them access to onboard their devices onto the corporate network.
I have tried to followed these two documents when configuring this:
- "SAML Configuration Guide v1.5"
- "Clearpass Configuration Guide Onboard and Cloud Identity Providers"
Both of these guides did not help me get this configured at all. The SAML guide was created in 2017 and the Okta interface has changed. The other guide was more helpful but I still get this error:
HTTP Status 403 – Forbidden
Type Status Report
Message RelayState missing/invalid
Description The server understood the request but refuses to authorize it
I checke Okta logs and it says that the connection attempt was successful. In Clearpass I see nothing in the Event Viewer or the Access Tracker. I then I went to Server Configuration and collected the logs. In the network-services.log.0 I saw this statement:
2020-10-13 15:19:04,320 [ajp-apr-8009-exec-8] [R:] ERROR com.avenda.tips.webauthservice.sso.saml.SamlSp - RelayState missing
There is nothing in either of those guides that mention anything about configuring the relay state. Please help.