Solutions

RelayState is missing or not persisted after single logout when HTTP Redirect binding is used with an external SP in AM/OpenAM (All versions)

Last updated Jan 9, 2020

The purpose of this article is to provide assistance if the RelayState parameter is missing or not persisted after Single Logout (SLO) when the HTTP Redirect binding is used. This issue can occur when AM/OpenAM is the Identity Provider (IdP) with an external Service Provider (SP).


Symptoms

The RelayState parameter is not persisted in the logout URL after SP initiated SLO, which means users are not redirected correctly after logging out. When the user then tries to log back in, they are not redirected to the expected page since the URL still contains the incorrect RelayState. This issue occurs when you use the HTTP Redirect binding. 

You may notice that the RelayState parameter has been truncated or is missing.

There are no errors logged to indicate why the redirect is not working as expected. There is an RFE to improve logging in a future release: OPENAM-15713 (AM SP drop the 80 characters RelayState silently for HTTP Redirect).

Recent Changes

N/A

Causes

The SAML2 standard states that the RelayState parameter must not exceed 80 bytes in length, which corresponds to 80 characters. See SAML Version 2.0 Errata 05 - Relay State for HTTP Redirect for further information.

If your redirect URL exceeds this limit, AM/OpenAM truncates the RelayState URL to 80 characters, which means users are not redirected as expected.

Note

You will not see this issue if you are using AM/OpenAM for both the IdP and SP. In this scenario, AM/OpenAM uses the ID of the AuthRequest as value of the RelayState parameter and stores the actual RelayState value in the cache. 

Solution

This issue can be resolved using either of the following approaches:

  • Reduce the length of the RelayState parameter to less than 80 characters. You will need to contact the SP to ensure the redirect URL they generate complies with the SAML2 standard.
  • Use the HTTP-POST binding instead, which is not subject to browser URL length limits and is therefore more suitable for longer messages.

See the following links for further information:

See Also

SAML Federation in AM/OpenAM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15713 (AM SP drop the 80 characters RelayState silently for HTTP Redirect)

OPENAM-11477 (SLO through IDP Proxy loses the RelayState )

OPENAM-11956 (SAML2 RelayState values are seen as invalid if they are not a URL which appears to go against the spec)



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...