RelayState is missing or not persisted after single logout when HTTP Redirect binding is used with an external SP in Identity Cloud or AM (All versions)
The purpose of this article is to provide assistance if the RelayState parameter is missing or not persisted after Single Logout (SLO) when the HTTP Redirect binding is used. This issue can occur when ForgeRock Identity Cloud or AM is the Identity Provider (IdP) with an external Service Provider (SP).
The RelayState parameter is not persisted in the logout URL after SP initiated SLO, which means users are not redirected correctly after logging out. When the user then tries to log back in, they are not redirected to the expected page since the URL still contains the incorrect RelayState. This issue occurs when you use the HTTP Redirect binding.
You may notice that the RelayState parameter has been truncated or is missing.
You see the following error in the debug logs:RelayState MUST NOT exceed 80 bytes. Dropping relayState
This error is not shown in pre-AM 6.5.3.
The SAML2 standard states that the RelayState parameter must not exceed 80 bytes in length, which corresponds to 80 characters. See SAML Version 2.0 Errata 05 - Relay State for HTTP Redirect for further information.
If your redirect URL exceeds this limit, Identity Cloud and AM truncates the RelayState URL to 80 characters, which means users are not redirected as expected.
You will not see this issue if you are using AM for both the IdP and SP. In this scenario, AM uses the ID of the AuthRequest as value of the RelayState parameter and stores the actual RelayState value in the cache.
This issue can be resolved using either of the following approaches:
- Reduce the length of the RelayState parameter to less than 80 characters. You will need to contact the SP to ensure the redirect URL they generate complies with the SAML2 standard.
- Use the HTTP-POST binding instead, which is not subject to browser URL length limits making it more suitable for longer messages.
See the following links for further information:
- How do I configure IdP or SP initiated Single Logout in Identity Cloud or AM (All versions)?
- How do I know which binding to use for SAML2 federation in Identity Cloud or AM (All versions)?
- Implement SSO and SLO
Related Issue Tracker IDs
OPENAM-15713 (AM SP drop the 80 characters RelayState silently for HTTP Redirect)