Closed SimOnPanw closed 1 month ago
@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?
@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?
@mikeurbanski1, Yes, it used to work. I noticed some changes when we changed the landing pages from /project
to /home/appsec/projects
, but I could not pinpoint the issue at that moment. It was only when a customer raised the issue that we further troubleshot and discovered that Azure IDP was stripping information from the URL.
@SimOnPanw is this true for every IDP? I am wondering how the initial implementation of this worked (assuming it was tested). Did it ever work?
@mikeurbanski1, Yes, it used to work. I noticed some changes when we changed the landing pages from
/project
to/home/appsec/projects
, but I could not pinpoint the issue at that moment. It was only when a customer raised the issue that we further troubleshot and discovered that Azure IDP was stripping information from the URL.
Ok. I guess my concern here is whether this fix will be universal. I don't really have a way to test it and my memory for SSO flow details is weak.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
This pull request addresses an issue where the Identity Provider (IDP) was stripping information from the RelayState parameter if it was not double-encoded. The change ensures that the URI is correctly double-encoded before being passed as the RelayState parameter, thus preserving the full URI information.
Testing: Verified that the double-encoded URI is correctly passed as the RelayState parameter. Confirmed that the IDP retains the full information of the RelayState parameter without stripping any part of the URI.
Checklist: