function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Rose Sage BaroneRose Sage Barone 

Mobile security problem

We're using OpenAM as our IDP, have SSO and OpenAM turned on for Salesforce.  All is working well until we get to the mobile application.  I go into settings, set the mobile app for custom host, input our "My domain" url as the hostname and click the "log off now" slider button.  When I go into the app, I get the OpenAM login screen (so far, so good), input the username and password into OpenAM and get redirected to a full web page in my sandbox with the message


Unable to Access Page
Required parameter "oauth_consumer_key" not defined.

Error: The value of the parameter specified above contains a character that is not allowed or the value exceeds the maximum allowed length. Remove the character from the parameter value or reduce the value length and re-submit. If the error still persists, please report it to our Customer Support team and provide the URL of the page you were requesting as well as any other related information.


I AM signed onto my sandbox however.  I can click around and see the regular web pages.


If I close the app and open it again, I get the OAuth approve/deny screen and then get the regular mobile app screens.


I've checked OpenAM and it not sending a parm called oauth_consumer_key.


Has anybody run into this before, and does anyone have any suggested solutions?






Are your setup to support SP Initiated SAML, and are your reflecting back the RelayState parameter which we sent you?    

Rose Sage BaroneRose Sage Barone

Yes to SP initiated SAML.  I will put some logging into OpenAM to check on the RelayState parameter.  My guess is no.  :-)


Let me know what you find - that could be it.


Easiest way to test is to try a deeplink in your browser and see if you land at the right place


I am getting same error when working with chatter. I have tested the deep link on browser succcessfully.


My guess is that you're not echo'ing the RelayState properly.   The exact same value must come back as was sent.   Your symptoms sound like you might be dropping http parameters from the URL on your side...probably due to some URL encoding issues.


Here's a whitepaper that might help you as well


Hi Chuck,  Updating on behalf of Tarakkumar.


I note in Chatter the following is the initial RelayState value sent to our IDP RelayState=/setup/secur/RemoteAccessAuthorizationPage.apexp?display=touchAnd  

the following retURL is provided to SFDC     retURL=%2Fsetup%2Fsecur%2FRemoteAccessAuthorizationPage.apexp%3Fdisplay%3Dtouch

Therefore these look similar apart from the fact that the return URL does contain URL encoding.


For accessing SFDC Web Front end via a bookmarked web URL accessing object /001/o Our IDP receives      RelayState=%2F001%2Fo  On return to SFDC

the retURL parameter is      retURL=%2F001%2Fo

Therefore the same.


For Outlook Plug In


On return to SFDC the retURL parameter is   retURL=%2Fsetup%2Fsecur%2FRemoteAccessAuthorizationPage.apexp%3Fdisplay%3Dpopup

The RelayState parameters at least do seem to return the same values as they were sent although the returned URL is always encoded. Do these seem correct to you also or is the oauth_consumer_key error received in chatter likely to be related to this somehow?

Thanks for the help! 


We're actually sending all those to you with URL encoding, so it may be an issue with the way you're tracing things.


The RelayState you're reporting for Salesforce for Outlook is actually incomplete -  we'd have sent you more than that...there are multiple http parameters that get passed.  Dropping up the url encoding at some point on your end is likely causing you to loose one of those parameters