Open konvergence opened 1 year ago
Thanks for opening this issue @konvergence .
This looks to be working as designed. The SAML spec is old, and I don't know that anyone enforces this limitation. Are you opening this issue because FusionAuth is not functioning with another service provide due to this length, or are you just stating that we are creating a RelayState
parameter greater than 80 bytes?
The saml provider that i need use, apply the limit of 80 characters on the relaystate.
He justify this limit with the SAML spécification. He can derogate until 1024 but not more .
If i understand your design, you use relaystate to keep some fusionauth contexts. But from a point of view of SAML exchanges there is no reason to do it.
May be you could manage some contexts into server side sessions instead of to put them in the realystate.
Anyway at these step this is a breaking point for us.
Thanks for the additional detail @konvergence.
FusionAuth is currently using the value encoded in the RelayState
to preserve context through this workflow. It may be possible we could build some alternate mechanism to do this in order to reduce the length of the RelayState
value.
Can you share what IdP you are attempting to integrate with that is enforcing this limit?
The IdP is an internal DEV of a Bank. So I can't give you a Product or a doc . If possible, may be I can give you an access on it
Hi, Sorry, we can not give access to the IdP. Could you give us a roadmap for an alternative mechanism in order to reduce the length of the RelayState value.
SAMLv2 Identity Provider - RelayState MUST NOT exceed 80 bytes
Description
Non conformance with https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
As well in "HTTP Redirect Binding" or "HTTP POST Binding", The RelayState value MUST NOT exceed 80 bytes In "HTTP POST Binding" mode, the size of RelayState is shorter that in "HTTP Redirect Binding" mode but the size is more than 1100 characters
Affects versions
all and latest : 1.47.1
Steps to reproduce
Steps to reproduce the behavior:
Expected behavior
Why Fusionauth use a RelayState , specially in POST mode ? Is there a way to reduce the RelayState to not exceed 80 chars ? specially in POST mode ?
Screenshots
If applicable, add screenshots to help explain your problem.
Platform
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
exemple of base64 encoded RelayState into the POST Binding Request
decoded RelayState