syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: SAML RelayState length
Date Wed, 30 Aug 2017 17:01:43 GMT
Hi Francesco,

On Thu, Aug 17, 2017 at 2:10 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:

>
> Hi Colm,
> at the moment the relay state as signed JWT is used to hold [1]:
>
> * the preference to use the (non-standard?) deflate encoding - which might
> be omitted, we could just take such setting from IdP configuration
> * the AuthnRequest ID, for later checking the login response [2]
> * the duration, for expiration
>
> Out of such three items, I would only keep the second but I'd rather
> prefer to be relatively sure that it was not tampered with, when it comes
> back for [2]: any alternative to use a signed JWT for such purpose?
>

I agree that we don't need the information about deflate encoding in there.
The alternative to sending the token is to cache the values locally (could
use EhCache, which is what we do with CXF, or store them in the session I
guess) keyed using a random String which is then the RelayState. What do
you think about switching to this approach?

Colm.


>
> Regards.
>
> [1] https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/
> logic/src/main/java/org/apache/syncope/core/logic/SAML
> 2SPLogic.java#L327-L329
> [2] https://github.com/apache/syncope/blob/2_0_X/ext/saml2sp/
> logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java#L408
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message