The RelayState parameter is not persisted in the logout URL after SP initiated SLO, which means users are not redirected correctly after logging out. When the user then tries to log back in, they are not redirected to the expected page since the URL still contains the incorrect RelayState. This issue occurs when you use the HTTP Redirect binding.
You may notice that the RelayState parameter has been truncated or is missing.
There are no errors logged to indicate why the redirect is not working as expected. There is an RFE to improve logging: OPENAM-15713 (AM SP drop the 80 characters RelayState silently for HTTP Redirect). This has been resolved in AM 5.5.2, and AM 6.5.3 and later.
The SAML2 standard states that the RelayState parameter must not exceed 80 bytes in length, which corresponds to 80 characters. See SAML Version 2.0 Errata 05 - Relay State for HTTP Redirect for further information.
If your redirect URL exceeds this limit, AM/OpenAM truncates the RelayState URL to 80 characters, which means users are not redirected as expected.
You will not see this issue if you are using AM/OpenAM for both the IdP and SP. In this scenario, AM/OpenAM uses the ID of the AuthRequest as value of the RelayState parameter and stores the actual RelayState value in the cache.
This issue can be resolved using either of the following approaches:
- Reduce the length of the RelayState parameter to less than 80 characters. You will need to contact the SP to ensure the redirect URL they generate complies with the SAML2 standard.
- Use the HTTP-POST binding instead, which is not subject to browser URL length limits and is therefore more suitable for longer messages.
See the following links for further information: