Hi Francesco, On Thu, Aug 17, 2017 at 2:10 PM, Francesco Chicchiriccò <[email protected] > wrote:
> > Hi Colm, > at the moment the relay state as signed JWT is used to hold [1]: > > * the preference to use the (non-standard?) deflate encoding - which might > be omitted, we could just take such setting from IdP configuration > * the AuthnRequest ID, for later checking the login response [2] > * the duration, for expiration > > Out of such three items, I would only keep the second but I'd rather > prefer to be relatively sure that it was not tampered with, when it comes > back for [2]: any alternative to use a signed JWT for such purpose? > I agree that we don't need the information about deflate encoding in there. The alternative to sending the token is to cache the values locally (could use EhCache, which is what we do with CXF, or store them in the session I guess) keyed using a random String which is then the RelayState. What do you think about switching to this approach? Colm. > > Regards. > > [1] https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/ > logic/src/main/java/org/apache/syncope/core/logic/SAML > 2SPLogic.java#L327-L329 > [2] https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/ > logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L408 > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
