[OPENAM-11956] SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec Created: 17/Oct/17 Updated: 17/Apr/19 Resolved: 29/Oct/17
|Affects Version/s:||11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0|
|Fix Version/s:||13.5.2, 6.0.0, 14.1.2, 5.5.2|
|Reporter:||Mark de Reeper||Assignee:||Mark de Reeper|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
SAML2 setup using RelayState values that are not URL based.
|Sprint:||AM Sustaining Sprint 43, AM Sustaining Sprint 44|
|Support Ticket IDs:|
|Needs QA verification:||
|Are the reproduction steps defined?:||
Yes and I used the same an in the description
This is also validated by our documentation that states: If you do not specify any URLs in this property, AM does not validate the RelayState parameter.
Setup a SAML2 federation and don't add any Relay State URL List entries when configuring the hosted IDP. Then pass a RelayState value that is not a URL, for example RPID=urn:example:healthcareportal
The SAML2 process to complete.
You see messages in the Federation debug log like:
Double encoding the RelayState value usually allows it to pass URI validation but you end up with a double encoded value at the other end of the process.
Look to move the check for any whitelist entries to be the first thing in the validation method but this may have some security implications:
|Comment by Mark de Reeper [ 29/Oct/17 ]|
Fix was to remove the RelayState validation step from the IDP initiated flow and leave it up to SP to validate the RelayState.