Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11956

SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0
    • Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2
    • Component/s: SAML
    • Labels:
    • Environment:
      SAML2 setup using RelayState values that are not URL based.
    • Sprint:
      AM Sustaining Sprint 43, AM Sustaining Sprint 44
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Since --OPENAM-7063--, the RedirectUrlValidator (used by SAML2 to validate RelayState values) always checks the value as being a valid URI before checking if validation has been enabled. The RelayState is not required to be a URL, from the SAML2 spec:

      The RelayState token is an opaque reference to state information maintained at the service provider.
      

      This is also validated by our documentation that states: If you do not specify any URLs in this property, AM does not validate the RelayState parameter.

      How to reproduce the issue

      Setup a SAML2 federation and don't add any Relay State URL List entries when configuring the hosted IDP. Then pass a RelayState value that is not a URL, for example RPID=urn:example:healthcareportal

      Expected behaviour

      The SAML2 process to complete.

      Current behaviour

      You see messages in the Federation debug log like:

      ERROR: Error processing request 
      com.sun.identity.saml2.common.SAML2Exception: Invalid Relay State URL specified 
      at com.sun.identity.saml2.common.SAML2Utils.validateRelayStateURL(SAML2Utils.java:4206) 
      

      Work around

      Double encoding the RelayState value usually allows it to pass URI validation but you end up with a double encoded value at the other end of the process.

      Code analysis

      Look to move the check for any whitelist entries to be the first thing in the validation method but this may have some security implications:

      org.forgerock.$className.java
              if (patterns == null || patterns.isEmpty()) {
                  DEBUG.message("RedirectUrlValidator.isRedirectUrlValid:"
                          + " There are no patterns to validate the URL against, the goto URL {} is considered valid", url);
                  return true;
              }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                markdr Mark de Reeper
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: