On 15/08/2017 11:38, Colm O hEigeartaigh wrote:
Hi all,
According to the SAML 2.0 binding spec:
RelayState data MAY be included with a SAML protocol message transmitted
with this binding. The value MUST NOT exceed 80 bytes in length
However, the relaystate we are using in Syncope, is a signed JWT, which has
length 371. Perhaps we need to reconsider making it a signed token?
Hi Colm,
at the moment the relay state as signed JWT is used to hold [1]:
* the preference to use the (non-standard?) deflate encoding - which
might be omitted, we could just take such setting from IdP configuration
* the AuthnRequest ID, for later checking the login response [2]
* the duration, for expiration
Out of such three items, I would only keep the second but I'd rather
prefer to be relatively sure that it was not tampered with, when it
comes back for [2]: any alternative to use a signed JWT for such purpose?
Regards.
[1]
https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L327-L329
[2]
https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L408
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/