Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-50

Support SAML RelayState containing Target URI when processing IdP-Initiated SSO

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: saml-1.0.0
    • Fix Version/s: saml-1.0.0.RC1
    • Component/s: saml
    • Labels:
      None
    • Environment:
      All

      Description

      The SAML extension works as expected for IdP Initiated SSO with the exception that it does not respect a target-uri contained in the RelayState of the unsolicited Assertion. This means that applications using this method of authentication will always start on the 'defaultTargetURI' page defined in context.

      I worked around this by updating SAMLProcessingFilter to add the relay state to the request:

      if (samlMessageContext.getRelayState()!=null) {
      String relayState = samlMessageContext.getRelayState();
      logger.debug("Saving SAML RelayState in Request attribute: " + relayState);
      if (isTargetUrl(relayState))

      { request.setAttribute(SAML_RELAYSTATE_TARGET_URL_ATTRIBUTE, relayState); }

      }

      Then a custom AuthenticationSuccessHandler can obtain the uri from the request attributes, if set, and redirect accordingly.

      I'm sure there is a better way to do this, but I could not find any other place where the RelayState was immediately available.

        Activity

        Hide
        vsch Vladimir Schäfer added a comment -

        In order to configure usage of relayState as a target URL use the following in your securityContext.xml:

        <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler">
        <property name="defaultTargetUrl" value="/" />
        </bean>

        Interpretation of the value can be changed by overriding method getTargetURL(String) in SAMLRelayStateSuccessHandler class. By default the value is used unchanged.
        Current default behavior remains unchanged.

        Show
        vsch Vladimir Schäfer added a comment - In order to configure usage of relayState as a target URL use the following in your securityContext.xml: <bean id="successRedirectHandler" class="org.springframework.security.saml.SAMLRelayStateSuccessHandler"> <property name="defaultTargetUrl" value="/" /> </bean> Interpretation of the value can be changed by overriding method getTargetURL(String) in SAMLRelayStateSuccessHandler class. By default the value is used unchanged. Current default behavior remains unchanged.
        Hide
        vsch Vladimir Schäfer added a comment -

        Resolved in revision 91

        Show
        vsch Vladimir Schäfer added a comment - Resolved in revision 91

          People

          • Assignee:
            vsch Vladimir Schäfer
            Reporter:
            wblackburn William Blackburn
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: