Relaystate exceeds 80 bytes

[thuannguy]

Hi guys,
I'm trying out simpleSAMLphp as an SP of our own developed IdP, and
than in the Authentication tab choose "Test configured authentication
sources" -> default SP.

The problem I currently have is that the AuthnRequest which
simpleSAMLphp sends to my Idp has too long relay state:

https://.../saml2/issue.idp?SAMLRequest=...&RelayState=https%3A%2F%2Fsimplesamlphp.mydomain.local%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddefault-sp&...[others]

my local domain name is: https://simplesamlphp.safewhere.local/

According to the specs, relaystate MUST NOT exceed 80 *bytes*.

For the sake of testing, I tried to give relaystate a dummy value by
editing authnsources.php but had no luck:

'default-sp' => array(
'saml:SP',
'relayState' => 'https://sp.example.org/welcome.php',


What can I do to shorten the relaystate string?

Thank you in advance,
Thuan.

[Olav Morken]

On Thu, Jul 07, 2011 at 02:08:08 -0700, thuannguy wrote:
> Hi guys,
> I'm trying out simpleSAMLphp as an SP of our own developed IdP, and
> than in the Authentication tab choose "Test configured authentication
> sources" -> default SP.
>
> The problem I currently have is that the AuthnRequest which
> simpleSAMLphp sends to my Idp has too long relay state:
>
> https://.../saml2/issue.idp?SAMLRequest=...&RelayState=https%3A%2F%2Fsimplesamlphp.mydomain.local%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddefault-sp&...[others]
>
> my local domain name is: https://simplesamlphp.safewhere.local/
>
> According to the specs, relaystate MUST NOT exceed 80 *bytes*.

Yes. This is one part of the spec that it is very convenient to
violate. I had some plans to add a "standards compliant relaystate"
option, but unfortunately haven't gotten around to it.

> For the sake of testing, I tried to give relaystate a dummy value by
> editing authnsources.php but had no luck:
>
> 'default-sp' => array(
> 'saml:SP',
> 'relayState' => 'https://sp.example.org/welcome.php',
>
>
> What can I do to shorten the relaystate string?

What version of simpleSAMLphp are you using? I belive it was changed
to use a shorter RelayState relatively recently.

Regards,
Olav Morken
UNINETT / Feide

[thuannguy]

Hi Morken,
The version I use is 1.8.0.0.

Thank you for the reply :-)

Thuan.

On Jul 7, 7:53 pm, Olav Morken <olav.mor...@uninett.no> wrote:
> On Thu, Jul 07, 2011 at 02:08:08 -0700, thuannguy wrote:
> > Hi guys,
> > I'm trying out simpleSAMLphp as an SP of our own developed IdP, and
> > than in the Authentication tab choose "Test configured authentication
> > sources" -> default SP.
>
> > The problem I currently have is that the AuthnRequest which
> > simpleSAMLphp sends to my Idp has too long relay state:
>

> >https://.../saml2/issue.idp?SAMLRequest=...&RelayState=https%3A%2F%2F......[others]

[Olav Morken]

On Thu, Jul 07, 2011 at 09:00:18 -0700, thuannguy wrote:
> Hi Morken,
> The version I use is 1.8.0.0.

In that case, it will already use a short URL if it is available.
That means that if you start your authentication from
'https://sp.example.org/welcome.php', the RelayState will be set to
that URL.

You can also do something like:

$as = new SimpleSAML_Auth_Simple('default-sp');
$as->login(array(
'ReturnTo' => 'https://sp.example.org/welcome.php',
));

Unfortunately, there is no code that attempts to keep the RelayState
parameter below 80 bytes, so when the URL becomes longer, we will
violate the spec.

[thuannguy]

Hi Olav,
Setting ReturnTo to the root url is working for me.
In my opinion, the spec is too annoying. Why 80 bytes? And if an Idp
counts each character in relayState 2 bytes, then its length must not
be longer than 40! Too easy to break the spec.

Anyway, thank you for your help :-)
Thuan.

[Peter Schober]

* thuannguy <thua...@gmail.com> [2011-07-13 04:29]:

> Setting ReturnTo to the root url is working for me.
> In my opinion, the spec is too annoying. Why 80 bytes? And if an Idp
> counts each character in relayState 2 bytes, then its length must not
> be longer than 40! Too easy to break the spec.

There is no requirement for relaystate to be an (or the original) URL,
e.g. the SP might want to keep the IdP from learning the specific URL
the subject was trying to access.
-peter

[thuannguy]

Yes, you are right. But in this situation,after receving response from
Idp, simpleSAMLphp uses the relayState to redirect the user to
(atleast this is the case of my configuration.)
In addition, when doing logging out, relayState is set to a 44-length
unique id.

On Jul 13, 2:15 pm, Peter Schober <peter.scho...@univie.ac.at> wrote:
> * thuannguy <thuann...@gmail.com> [2011-07-13 04:29]:

[mostafa.kamal]

Hello sir, 

I need to redirect the user after authenticating with Google Apps through sql to an arbitrary page, however unless the page is something.google.com Google gives me an invalid request.

Can I do so using Returnto or RelayState?How and in which file?

Thanks 

[Peter Schober]

* mostafa.kamal <mostaf...@cloudypedia.com> [2013-08-15 01:49]:

> On Friday, July 8, 2011 1:48:38 PM UTC+2, Olav Morken wrote:
> > Unfortunately, there is no code that attempts to keep the
> > RelayState parameter below 80 bytes, so when the URL becomes
> > longer, we will violate the spec.
>

> I need to redirect the user after authenticating with Google Apps
> through sql to an arbitrary page, however unless the page is
> something.google.com Google gives me an invalid request.

That's completely unrelated to the old (from 2011) thread you're
replying to.
Stick to the one you already started for that same question (the one
with the not so helpful subject "SSO authenticate using email address").
-peter