SAML Authentication to PAM fails when address used to connect to PAM doesn't match the SAML assertion

Document ID : KB000124044
Last Modified Date : 04/01/2019
Show Technical Document Details
PAM was configured as the Reliant Party and Siteminder was configured as the IdP.  The user connected to PAM and clicked the Single Sign On button.  The authentication failed with "STATE Information lost".
This is normal behavior when the address specified for the Entity ID on the RP Configuration page does not match the address with which the user connected to PAM.  In this case the Entity ID specified contained the Fully Qualified Domain Name(FQDN) and the user connected to PAM with the IP address.  This was resolved by connecting to PAM with the FQDN.  The user then clicked the Single Sign On button, provided the SAML credentials, and was authenticated to PAM.  Subsequent logins to PAM would not have required the SAML credentials be re-entered, for as long as those credentials did not time out.