On 30/08/2017 19:01, Colm O hEigeartaigh wrote:
Hi Francesco,
On Thu, Aug 17, 2017 at 2:10 PM, Francesco Chicchiriccò <ilgro...@apache.org>
wrote:
Hi Colm,
at the moment the relay state as signed JWT is used to hold [1]:
* the preference to use the (non-standard?) deflate encoding - which might
be omitted, we could just take such setting from IdP configuration
* the AuthnRequest ID, for later checking the login response [2]
* the duration, for expiration
Out of such three items, I would only keep the second but I'd rather
prefer to be relatively sure that it was not tampered with, when it comes
back for [2]: any alternative to use a signed JWT for such purpose?
I agree that we don't need the information about deflate encoding in there.
The alternative to sending the token is to cache the values locally (could
use EhCache, which is what we do with CXF, or store them in the session I
guess) keyed using a random String which is then the RelayState. What do
you think about switching to this approach?
What I don't really like here is the additional setup that would be needed.
The only alternative I can see is to create an Entity to store such
RelayState values in the internal storage, with a job that periodically
cleans up the expired.
WDYT?
Anyway, I see several SAML 2.0 implementations out there not enforcing
the 80 chars limit: would removing all but the AuthnRequestID from the
current JWT-based Relay State be an acceptable compromise?
Regards.
[1] https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/
logic/src/main/java/org/apache/syncope/core/logic/SAML
2SPLogic.java#L327-L329
[2] https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/
logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L408
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
