On 31/08/2017 11:33, Colm O hEigeartaigh wrote:
On Thu, Aug 31, 2017 at 7:51 AM, Francesco Chicchiriccò <[email protected]>
wrote:
Anyway, I see several SAML 2.0 implementations out there not enforcing the
80 chars limit: would removing all but the AuthnRequestID from the current
JWT-based Relay State be an acceptable compromise?
Yeah, let's just leave it for now. We can always revisit if becomes a
problem. +1 on removing the deflate encoding switch from the token. I'm not
sure about removing the expiration, it's probably a good idea to reject
stale RelayStates.
I remember now why the deflateEncoding info is in the Relay State: the
information is needed to read the SAML response [3], at a point where it
is not already possible to identify the IdP (from which one could fetch
the same flag).
About checking the Relay State expiration, the duration is currently set
to 5 seconds but I am afraid it is not curerntly verified during the
response validation.
Regards.
[1]
https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML
2SPLogic.java#L327-L329
[2]
https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L408
[3]
https://github.com/apache/syncope/blob/master/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java#L150
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/
