Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15713

AM SP drop the 80 characters RelayState silently for HTTP Redirect

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.2, 5.5.1, 6.5.2.2
    • Fix Version/s: 5.5.2, 7.0.0, 6.5.3
    • Component/s: SAML
    • Labels:
    • Sprint:
      AM Sustaining Sprint 72
    • Story Points:
      1
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      Yes, No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      AM SP drop the 80 characters RelayState silently for HTTP Redirect due to SAML specification.

       

      The SAML specs mandate that the RelayState cannot be more than 80 characters. This is stated in
      http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.html

       

      E1: Relay State for HTTP Redirect
      Change [SAMLBind] Section 3.4.3 at lines 551-553 to reflect the fact that, indeed, the RelayState parameter is covered by the query string signature described in Section 3.4.4.1 (DEFLATE encoding). Note that Section 3.5.3, which has similar original wording, remains correct for its case.
      Original:
      RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message.
      

       

       

      Unless you are very knowledgeable about the SAML specifications, when this RelayState is dropped from AM silently , there is no debugging message in the Federation log that the RelayState has been dropped and it makes troubleshooting extremely hard.

       

       

      LogoutUtil.java
       if (relayState != null && relayState.length() > 0
                          && relayState.getBytes("UTF-8").length <= 80) {
                      queryString.append("&").append(SAML2Constants.RELAY_STATE)                        .append("=").append(urlEncodeQueryParameterNameOrValue(relayState));
                  }
      

       

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              sam.phua Sam Phua
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: