RelayState is missing or not persisted after single logout when HTTP Redirect binding is used with an external SP in Identity Cloud or AM (All versions)

Symptoms

The RelayState parameter is not persisted in the logout URL after SP initiated SLO, which means users are not redirected correctly after logging out. When the user then tries to log back in, they are not redirected to the expected page since the URL still contains the incorrect RelayState. This issue occurs when you use the HTTP Redirect binding.

You may notice that the RelayState parameter has been truncated or is missing.

You see the following error in the debug logs:RelayState MUST NOT exceed 80 bytes. Dropping relayState

This error is not shown in pre-AM 6.5.3.

Recent Changes

N/A

Causes

The SAML2 standard states that the RelayState parameter must not exceed 80 bytes in length, which corresponds to 80 characters. See SAML Version 2.0 Errata 05 - Relay State for HTTP Redirect for further information.

If your redirect URL exceeds this limit, Identity Cloud and AM truncates the RelayState URL to 80 characters, which means users are not redirected as expected.

Solution

This issue can be resolved using either of the following approaches:

• Reduce the length of the RelayState parameter to less than 80 characters. You will need to contact the SP to ensure the redirect URL they generate complies with the SAML2 standard.
• Use the HTTP-POST binding instead, which is not subject to browser URL length limits making it more suitable for longer messages.

See the following links for further information:

• How do I configure IdP or SP initiated Single Logout in Identity Cloud or AM (All versions)?
• How do I know which binding to use for SAML2 federation in Identity Cloud or AM (All versions)?
• Implement SSO and SLO

See Also

SAML 2.0 federation in AM

SAML v2.0

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15713 (AM SP drop the 80 characters RelayState silently for HTTP Redirect)