Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11477

SLO through IDP Proxy loses the RelayState

    Details

    • Type: Bug
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.0.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 42, AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      Bug description

      Under certain circumstances, performing a SLO with a RelayState parameter will invalidate the necessary sessions but the parameter will be lost along the way, so no redirect occurs.

      How to reproduce the issue

      Configure SP1, SP2, an IDP-proxy, and an IDP.
      All in the same COT.

      1.
      SP-initiated SSO from SP1 -> Proxy -> IDP
      Authenticate
      SP1 <- Proxy <- IDP
      Success

      2. (skip the proxy this time)
      SP-initiated SSO from SP2 -> IDP
      SP2 <- IDP
      Success
      (No need to authenticate again here)

      3.
      Do the SLO
      spSingleLogout from SP2 -> IDP

      spSingleLogoutInit.jsp?&idpEntityID=idp&RelayState=http%3A%2F%2Fwww.google.com

      All session participants are logged out.

      LogoutRequest goes:
      SP2 -> IDP -> Proxy -> SP1 -> Proxy -> IDP -> SP2

      In the Proxy -> SP1 step however, the RelayState parameter has disappeared, so we eventually end up at the "SP initiated single logout succeeded." page.

      In the IDP-Proxy server logs, we receive the LogoutRequest from the IDP:

      libSAML2:08/03/2017 01:34:31:287 PM BST: Thread[http-bio-38080-exec-6,5,main]: TransactionId[1c9b6473-e35c-4758-8af3-c0356700acb0-139]
      processLogoutRequest : relayState : s29dd602f3e0a64080a23c46cb1711b4fd46db107a

      And send a new one to SP1:

      libSAML2:08/03/2017 01:34:31:297 PM BST: Thread[http-bio-38080-exec-6,5,main]: TransactionId[1c9b6473-e35c-4758-8af3-c0356700acb0-139]
      LogoutUtil.doLogout: Entering ...
      requesterEntityID=proxy
      recipientEntityID=sp1
      binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
      relayState=null
      sessionIndex=s2095026affe89db4a065e0806ba678ffd7f52ae01

      Expected behaviour

      Redirected to the RelayState location.

        Attachments

          Activity

            People

            • Assignee:
              sfraser Sam Fraser
              Reporter:
              joe.starling Joe Starling
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: