Hi Rajkumar,
I've replied you in another thread, RelayState could not be modified in ISAM Idp, this complies to SAML2 spec; it's possible to retrieve RelayState within ISAM IdP mapping rule for SP init flow, and you can add the RelayState validation logics in mapping rule, and IDMappingExtUtils provides API to throw sts exception to abort the SSO flow.
Btw, the limitation of ISAM IdP not able to handle RelayState contains special chars has been removed in current ISAM, (probably from one version before current ISAM release onwards.) ISAM IdP will send back the same RelayState back to Sp.
Best Regards
Chen Yongming
------------------------------
Yongming Chen
------------------------------
Original Message:
Sent: Mon April 27, 2020 04:40 PM
From: Rajkumar Godi
Subject: SP initiated SAML flow relay state is lost
Hi Yongming / Sanders., I see this is a very old post but I am having similar issue., can you help me understand if this is same as what you have faced before. here is my scenario:
One of the Relying Parties is making a request to ISAM IdentityProvider . It includes Target / RelaySate in the SAMLAuthnRequest but this RelayState has XSS vulnerability. From Federation Runtime Trace's RequestSecurityToken – Saml20Claims , we do see that RelayState is encoded as below:
RelayState=""/>tes<script>alert(1)</script>"
We are getting this RelayState from the Service Provider's SAML Authn Request. ISAM is the IDP in this scenario.
The STSUU has the RelayState URL encoded – highlighted in bold italics above.
Is it possible to modify the RelayState in STSUU from the mapping rule? As I understand from Yongming's reply - this is not a good idea. iI not, Is there another way to fix this XSS Vulnerability in RelayState.
Thank you!
------------------------------
Rajkumar
Original Message:
Sent: Mon December 10, 2018 06:03 AM
From: Sander Meyfroot
Subject: SP initiated SAML flow relay state is lost
Hello,
The problem was indeed that a special char " (quote) was breaking the relay state. We base64 encoded the values in the relay state and now the problem is resolved.
Best regards,
Sander Meyfroot
------------------------------
Sander Meyfroot
Original Message:
Sent: 12-06-2018 01:45 AM
From: Yongming Chen
Subject: SP initiated SAML flow relay state is lost
Hi Sander Meyfroot,
The mapping rule will maps all the attributes in stsuu, which then converted into a SAML assertion, RelayState is not part of the SAML assertion, hence the mapping rule has no impact on the RelayState; and also there's no need for mapping rule to access RelayState, since based on SAML2 spec, IdP should playback the RelayState received, hence RelayState should be kept intact.
ISAM IdP plays back the RelayState for SP init SSO, but currently there's a limitation on the RelayState ISAM IdP could handle, certain special chars embedded in the RelayState might cause issue of truncated or incorrect RelayState being played back, e.g. double quote, space chars, etc. Can you share what the RelayState SP sends to ISAM IdP together with the AuthnRequest? One work around could be to Base64 encode the RelayState before sending it out to ISAM IdP.
Best Regards
Chen Yongming
------------------------------
Yongming Chen
Original Message:
Sent: 12-05-2018 07:31 AM
From: Sander Meyfroot
Subject: SP initiated SAML flow relay state is lost
Hello,
We got this strange problem with SAML authentication. We use a SP initiated SAML flow and the service provider POST to ISAM federation contains a relay state. After authenticating to ISAM, the relay state is empty in the saml response to the application.
Have any of you had this same issue and how did you solve this?
From this page I see that I can receive th relay state from the original request
IBM IJ04692: SAMPLE MAPPING RULE HAS INCORRECT SYNTAX FOR RETRIEVING AUTHENTICATION RELATED CLAIMS DATA (SP_SAML_20.JS) - United States| Ibm | remove preview |
| | IBM IJ04692: SAMPLE MAPPING RULE HAS INCORRECT SYNTAX FOR RETRIEVING AUTHENTICATION RELATED CLAIMS DATA (SP_SAML_20.JS) - United States | | A sample mapping rule that is shipped with the appliance (sp_saml_20.js) includes incorrect documentation for retrieving | | View this on Ibm > |
|
|
We use the this mapping rule for SAML assertion building:
importPackage(Packages.com.tivoli.am.fim.trustserver.sts);importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);var attributeContainer = stsuu.getAttributeContainer();var principalName = new Attribute("name","urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", attributeContainer.getAttributeValueByName("tagvalue_credattrs_email"));var nameAttr = new Attribute("givenName","urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", attributeContainer.getAttributeValueByName("tagvalue_credattrs_givenname"));var snAttr = new Attribute("sn","urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", attributeContainer.getAttributeValueByName("tagvalue_credattrs_cn"));var cn = new Attribute("cn","urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", attributeContainer.getAttributeValueByName("tagvalue_credattrs_email"));// Clear the stsuu attribute list. We don't need any of the existing data.stsuu.clearPrincipal();stsuu.clearAttributeList();// Add the AuthnContextClassRef for SAML 2.0stsuu.addPrincipalAttribute(principalName);stsuu.addAttribute(nameAttr);stsuu.addAttribute(snAttr);stsuu.addAttribute(cn);I can expect that
stsuu.clearAttributeList();
will remove the relay state. Is that correct? How can I add the relay state from a variable to the saml POST using mapping rules? Is there a code example available for this?
best regards,
Sander Meyfroot
------------------------------
Sander Meyfroot
------------------------------