SX Spring Security Extension
  1. SX Spring Security Extension
  2. SES-50

Support SAML RelayState containing Target URI when processing IdP-Initiated SSO

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None
    • Environment:
      All

      Description

      The SAML extension works as expected for IdP Initiated SSO with the exception that it does not respect a target-uri contained in the RelayState of the unsolicited Assertion. This means that applications using this method of authentication will always start on the 'defaultTargetURI' page defined in context.

      I worked around this by updating SAMLProcessingFilter to add the relay state to the request:

      if (samlMessageContext.getRelayState()!=null) {
      String relayState = samlMessageContext.getRelayState();
      logger.debug("Saving SAML RelayState in Request attribute: " + relayState);
      if (isTargetUrl(relayState))

      { request.setAttribute(SAML_RELAYSTATE_TARGET_URL_ATTRIBUTE, relayState); }

      }

      Then a custom AuthenticationSuccessHandler can obtain the uri from the request attributes, if set, and redirect accordingly.

      I'm sure there is a better way to do this, but I could not find any other place where the RelayState was immediately available.

        Activity

        Hide
        Vladimir Schäfer added a comment -

        In order to configure usage of relayState as a target URL use the following in your securityContext.xml:

        <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler">
        <property name="defaultTargetUrl" value="/" />
        </bean>

        Interpretation of the value can be changed by overriding method getTargetURL(String) in SAMLRelayStateSuccessHandler class. By default the value is used unchanged.
        Current default behavior remains unchanged.

        Show
        Vladimir Schäfer added a comment - In order to configure usage of relayState as a target URL use the following in your securityContext.xml: <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler"> <property name="defaultTargetUrl" value="/" /> </bean> Interpretation of the value can be changed by overriding method getTargetURL(String) in SAMLRelayStateSuccessHandler class. By default the value is used unchanged. Current default behavior remains unchanged.
        Hide
        Vladimir Schäfer added a comment -

        Resolved in revision 91

        Show
        Vladimir Schäfer added a comment - Resolved in revision 91

          People

          • Assignee:
            Vladimir Schäfer
            Reporter:
            William Blackburn
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: