[OPENAM-15713] AM SP drop the 80 characters RelayState silently for HTTP Redirect Created: 25/Nov/19  Updated: 17/Jun/20  Resolved: 11/Mar/20

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 13.5.2, 5.5.1,
Fix Version/s: 5.5.2, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Sam Phua Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 72
Story Points: 1
Needs backport:
Support Ticket IDs:
Needs QA verification:
Yes, No
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

AM SP drop the 80 characters RelayState silently for HTTP Redirect due to SAML specification.


The SAML specs mandate that the RelayState cannot be more than 80 characters. This is stated in


E1: Relay State for HTTP Redirect
Change [SAMLBind] Section 3.4.3 at lines 551-553 to reflect the fact that, indeed, the RelayState parameter is covered by the query string signature described in Section (DEFLATE encoding). Note that Section 3.5.3, which has similar original wording, remains correct for its case.
RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message.



Unless you are very knowledgeable about the SAML specifications, when this RelayState is dropped from AM silently , there is no debugging message in the Federation log that the RelayState has been dropped and it makes troubleshooting extremely hard.



 if (relayState != null && relayState.length() > 0
                    && relayState.getBytes("UTF-8").length <= 80) {
                queryString.append("&").append(SAML2Constants.RELAY_STATE)                        .append("=").append(urlEncodeQueryParameterNameOrValue(relayState));


Generated at Thu Dec 03 09:52:58 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.