Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15073

Missing RelayState query parameter in the AM redirect to fedlet application

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.5.3, 7.0.0, 5.5.2
    • Component/s: SAML
    • Labels:
    • Needs backport:
      Yes
    • Verified Version/s:

      Description

      We may have found a regression related to SAML RelayState.

      It’s working for 6.5.2, but not anymore for latest 7.0.0 (something has been broken between march and now)

      We’ve found that after an SP initiated SSO authentication request (login successful), when AM redirects back to the fedlet (/saml/fedletapplication) with the SAML Response (contains encrypted assertions, so it should not be some error response), that redirect doesn’t contains anymore the RelayState parameter, so we end up doing our own final redirection on a default page (but not the expected one)

      SP initiated SSO from IG redirects to that URL:
      {{http://openig.example.com:8081/api/saml/SPInitiatedSSO?RelayState=$

      {urlEncode(request.uri)}

      &bindings=urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Abindings%3AHTTP-POST}}
      there is a variable here because I took it from the IG config, but the real redirect have a real properly-encoded URI in place (the final goto)

      On the AM login page, I get that URL in the navigator bar in my browser:

      http://openam.example.com:8083/openam/XUI/
          ?realm=/
          &forward=true
          &spEntityID=SPOne
          &goto=/SSORedirect/metaAlias/idp
              ?ReqID%3Ds22ae1179388dd1f463ccc03c6bacfeeaebab40495
              %26index%3Dnull
              %26acsURL%3Dhttp://openig.example.com:8081/api/saml/fedletapplication
              %26spEntityID%3DSPOne
              %26binding%3Durn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
          &AMAuthCookie=#login/
      

      (decomposed for readability), at this point no RelayState anymore (but we have a request ID, so maybe AM keep that value somehow in a session...)

      And the final redirect to /fedletapplication (after successful authn) contains SAMLResponse a strange query parameter called s220c4ed1cabfec4a4c8b9da522d1d8ced784635f2...

       

        Attachments

          Activity

            People

            • Assignee:
              peter.major Peter Major [X] (Inactive)
              Reporter:
              guillaume.sauthier Guillaume Sauthier
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 0.5h
                0.5h