syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <>
Subject Re: SAML RelayState length
Date Thu, 31 Aug 2017 10:22:36 GMT
On 31/08/2017 11:33, Colm O hEigeartaigh wrote:
> On Thu, Aug 31, 2017 at 7:51 AM, Francesco Chicchiriccò <>
>> Anyway, I see several SAML 2.0 implementations out there not enforcing the
>> 80 chars limit: would removing all but the AuthnRequestID from the current
>> JWT-based Relay State be an acceptable compromise?
> Yeah, let's just leave it for now. We can always revisit if becomes a
> problem. +1 on removing the deflate encoding switch from the token. I'm not
> sure about removing the expiration, it's probably a good idea to reject
> stale RelayStates.

I remember now why the deflateEncoding info is in the Relay State: the 
information is needed to read the SAML response [3], at a point where it 
is not already possible to identify the IdP (from which one could fetch 
the same flag).

About checking the Relay State expiration, the duration is currently set 
to 5 seconds but I am afraid it is not curerntly verified during the 
response validation.


> [1]
> [2]

Francesco Chicchiriccò

Tirasa - Open Source Excellence

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail

View raw message