Solutions
ForgeRock Identity Platform
ForgeRock Identity Cloud

RelayState is missing or not persisted after single logout when HTTP Redirect binding is used with an external SP in Identity Cloud or AM (All versions)

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if the RelayState parameter is missing or not persisted after Single Logout (SLO) when the HTTP Redirect binding is used. This issue can occur when ForgeRock Identity Cloud or AM is the Identity Provider (IdP) with an external Service Provider (SP).


Symptoms

The RelayState parameter is not persisted in the logout URL after SP initiated SLO, which means users are not redirected correctly after logging out. When the user then tries to log back in, they are not redirected to the expected page since the URL still contains the incorrect RelayState. This issue occurs when you use the HTTP Redirect binding.

You may notice that the RelayState parameter has been truncated or is missing.

You see the following error in the debug logs:RelayState MUST NOT exceed 80 bytes. Dropping relayState

This error is not shown in pre-AM 6.5.3.

Recent Changes

N/A

Causes

The SAML2 standard states that the RelayState parameter must not exceed 80 bytes in length, which corresponds to 80 characters. See SAML Version 2.0 Errata 05 - Relay State for HTTP Redirect for further information.

If your redirect URL exceeds this limit, Identity Cloud and AM truncates the RelayState URL to 80 characters, which means users are not redirected as expected.

Note

You will not see this issue if you are using AM for both the IdP and SP. In this scenario, AM uses the ID of the AuthRequest as value of the RelayState parameter and stores the actual RelayState value in the cache.

Solution

This issue can be resolved using either of the following approaches:

  • Reduce the length of the RelayState parameter to less than 80 characters. You will need to contact the SP to ensure the redirect URL they generate complies with the SAML2 standard.
  • Use the HTTP-POST binding instead, which is not subject to browser URL length limits making it more suitable for longer messages.

See the following links for further information:

See Also

SAML 2.0 federation in AM

SAML v2.0

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15713 (AM SP drop the 80 characters RelayState silently for HTTP Redirect)


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.