[OPENAM-11477] SLO through IDP Proxy loses the RelayState Created: 03/Aug/17  Updated: 29/Jan/18  Resolved: 29/Jan/18

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 14.0.0
Fix Version/s: 12.0.5, 13.5.3, 6.0.0

Type: Bug Priority: Major
Reporter: Joe Starling Assignee: Sam Fraser
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 42, AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47
Story Points: 3
Needs backport:
No
Support Ticket IDs:
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

Under certain circumstances, performing a SLO with a RelayState parameter will invalidate the necessary sessions but the parameter will be lost along the way, so no redirect occurs.

How to reproduce the issue

Configure SP1, SP2, an IDP-proxy, and an IDP.
All in the same COT.

1.
SP-initiated SSO from SP1 -> Proxy -> IDP
Authenticate
SP1 <- Proxy <- IDP
Success

2. (skip the proxy this time)
SP-initiated SSO from SP2 -> IDP
SP2 <- IDP
Success
(No need to authenticate again here)

3.
Do the SLO
spSingleLogout from SP2 -> IDP

spSingleLogoutInit.jsp?&idpEntityID=idp&RelayState=http%3A%2F%2Fwww.google.com

All session participants are logged out.

LogoutRequest goes:
SP2 -> IDP -> Proxy -> SP1 -> Proxy -> IDP -> SP2

In the Proxy -> SP1 step however, the RelayState parameter has disappeared, so we eventually end up at the "SP initiated single logout succeeded." page.

In the IDP-Proxy server logs, we receive the LogoutRequest from the IDP:

libSAML2:08/03/2017 01:34:31:287 PM BST: Thread[http-bio-38080-exec-6,5,main]: TransactionId[1c9b6473-e35c-4758-8af3-c0356700acb0-139]
processLogoutRequest : relayState : s29dd602f3e0a64080a23c46cb1711b4fd46db107a

And send a new one to SP1:

libSAML2:08/03/2017 01:34:31:297 PM BST: Thread[http-bio-38080-exec-6,5,main]: TransactionId[1c9b6473-e35c-4758-8af3-c0356700acb0-139]
LogoutUtil.doLogout: Entering ...
requesterEntityID=proxy
recipientEntityID=sp1
binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
relayState=null
sessionIndex=s2095026affe89db4a065e0806ba678ffd7f52ae01

Expected behaviour

Redirected to the RelayState location.


Generated at Fri Sep 25 22:11:51 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.