Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11932

Encoding RelayState to enable it to pass URL validation results in double-encoding when it is sent to the SP

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
    • Environment:
      OpenAM acting as an IDP
    • Sprint:
      AM Sustaining Sprint 43
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      Bug description

      OpenAM acting as an IDP and passing in a URL encoded RelayState parameter results in the RelayState being double encoded as part of Posting the assertion to the SP.

      How to reproduce the issue

      Setup OpenAM as an IDP and use the IDP initiated SAML2 process, passing a RelayState parameter that has been URL encoded.

       

      Code analysis

      For one flow in com.sun.identity.saml2.profile.IDPSSOUtil#sendResponseArtifact there is:

      if ((relayState != null) && (relayState.trim().length() != 0)) {
          redirectURL += "&RelayState=" + URLEncDec.encode(relayState);
      }

      And com.sun.identity.saml2.common.SAML2Utils#postToTarget calls 

      ESAPI.encoder().encodeForHTML(relayStateValue)

       

      Either of these maybe contributing to the problem if RelayState is already encoded.

        Attachments

          Activity

            People

            • Assignee:
              markdr Mark de Reeper
              Reporter:
              markdr Mark de Reeper
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: