single sign on - SAML / is RelayState required for signed logout request? -
i wish confirm relaystate required valid signed saml logout request.
we have federated microsoft's adfs 2012 r2 oracle's identity federation adfs sp , oif idp. basis, followed integrating adfs 2.0/3.0 sp oif idp.
everything works, except logout. have sp doing logout , working oif. 1 difference we've found adfs not sending relaystate parameter signed logout request, other sp is. i've been using samltool's validate logout req, input following:
- saml logout request
- entityid of source
- target url, destination of logout request
- sigalg
- signature of saml logout request
- x.509 cert of source (to check signature)
- ignore timing issues: checked
that gives me error:
in order check signature must provide relaystate parameter , x.509 cert if input relaystate along other values in samltool's validate logout req reports signed logout request valid.
in case of adfs, because not have relaystate parameter, cannnot samltool's validate logout req logout adfs valid.
all said, cannot find anywhere in saml spec says relaystate required signed logout request. can confirm required , documentation?
the logoutrequest message not have reference relaystate parameter (as other post suggests) part of so-called binding used convey messages between saml parties. assuming logout uses http-redirect, http-post or artifact binding, spec allows sender include relaystate parameter , receiver must return same relaystate parameter part of response (as way sender keep state).
see section 3.4.3 relaystate of saml bindings document: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf http-redirect binding:
3.4.3 relaystate
relaystate data may included saml protocol message transmitted binding. value must not exceed 80 bytes in length , should integrity protected entity creating message independent of other protections may or may not exist during message transmission. signing not realistic given space limitation, because value exposed third-party tampering, entity should ensure value has not been tampered using checksum, pseudo-random value, or similar means. if saml request message accompanied relaystate data, saml responder must return saml protocol response using binding supports relaystate mechanism, , must place exact data received request corresponding relaystate parameter in response. if no such value included saml request message, or if saml response message being generated without corresponding request, saml responder may include relaystate data interpreted recipient based on use of profile or prior agreement between parties
for other bindings similar section exists. @nzpcmad says: it's not mandatory include in request.
Comments
Post a Comment