Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-396

IDPWebBrowserSSOValve and IDPFilter are decoding the relaystate

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: PLINK_2.6.0.CR2
    • Component/s: SAML
    • Labels:
      None

      Description

      The AbstractIDPBrowserValve and IDPFilter are decoding the relaystate.
      According to
      Per 5.1.2 of the SAML spec: "If the IdP received a RelayState value from the SP, it must return it unmodified to the SP in a hidden form control named RelayState."
      http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.2.SP-Initiated%20SSO:%20%20Redirect/POST%20Bindings|outline

      The relevant code change is in methods:
      populateSessionWithSAMLParameters()
      handleUnauthorizedResponse()

      if (isNotNull(relayState))

      { relayState = RedirectBindingUtil.urlDecode(relayState); }

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                anil.saldhana Anil Saldanha
                Reporter:
                anil.saldhana Anil Saldanha
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: