[OPENAM-11956] SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec Created: 17/Oct/17  Updated: 17/Apr/19  Resolved: 29/Oct/17

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0
Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2

Type: Bug Priority: Major
Reporter: Mark de Reeper Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

SAML2 setup using RelayState values that are not URL based.


Issue Links:
Relates
is related to OPENAM-3202 RelayState is validated as a URL Resolved
Sprint: AM Sustaining Sprint 43, AM Sustaining Sprint 44
Story Points: 3
Needs backport:
No
Support Ticket IDs:
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

Since --OPENAM-7063--, the RedirectUrlValidator (used by SAML2 to validate RelayState values) always checks the value as being a valid URI before checking if validation has been enabled. The RelayState is not required to be a URL, from the SAML2 spec:

The RelayState token is an opaque reference to state information maintained at the service provider.

This is also validated by our documentation that states: If you do not specify any URLs in this property, AM does not validate the RelayState parameter.

How to reproduce the issue

Setup a SAML2 federation and don't add any Relay State URL List entries when configuring the hosted IDP. Then pass a RelayState value that is not a URL, for example RPID=urn:example:healthcareportal

Expected behaviour

The SAML2 process to complete.

Current behaviour

You see messages in the Federation debug log like:

ERROR: Error processing request 
com.sun.identity.saml2.common.SAML2Exception: Invalid Relay State URL specified 
at com.sun.identity.saml2.common.SAML2Utils.validateRelayStateURL(SAML2Utils.java:4206) 

Work around

Double encoding the RelayState value usually allows it to pass URI validation but you end up with a double encoded value at the other end of the process.

Code analysis

Look to move the check for any whitelist entries to be the first thing in the validation method but this may have some security implications:

org.forgerock.$className.java
        if (patterns == null || patterns.isEmpty()) {
            DEBUG.message("RedirectUrlValidator.isRedirectUrlValid:"
                    + " There are no patterns to validate the URL against, the goto URL {} is considered valid", url);
            return true;
        }


 Comments   
Comment by Mark de Reeper [ 29/Oct/17 ]

Fix was to remove the RelayState validation step from the IDP initiated flow and leave it up to SP to validate the RelayState.

Generated at Tue Sep 22 11:26:54 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.