Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-396

IDPWebBrowserSSOValve and IDPFilter are decoding the relaystate

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • PLINK_2.6.0.CR2
    • None
    • SAML
    • None

      The AbstractIDPBrowserValve and IDPFilter are decoding the relaystate.
      According to
      Per 5.1.2 of the SAML spec: "If the IdP received a RelayState value from the SP, it must return it unmodified to the SP in a hidden form control named RelayState."
      http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.2.SP-Initiated%20SSO:%20%20Redirect/POST%20Bindings|outline

      The relevant code change is in methods:
      populateSessionWithSAMLParameters()
      handleUnauthorizedResponse()

      if (isNotNull(relayState))

      { relayState = RedirectBindingUtil.urlDecode(relayState); }

              anil.saldhana Anil Saldanha (Inactive)
              anil.saldhana Anil Saldanha (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: