Spring Security Empty RelayState causes errors with ADFS

Hi Spring security team,

I'm using the brand new SAML 2 support with Spring Boot 2.2.1 and Spring Security 5.2.1 and I have an issue using it with Microsoft ADFS.

The ADFS doesn't like having an empty RelayState parameter in the redirect url. A RelayState= or removing RelayState from the url make the process works.

This behavior is coming from this method :

private String createSamlRequestRedirectUrl(HttpServletRequest request, RelyingPartyRegistration relyingParty) {
        Saml2AuthenticationRequest authNRequest = createAuthenticationRequest(relyingParty, request);
        String xml = this.authenticationRequestFactory.createAuthenticationRequest(authNRequest);
        String encoded = encode(deflate(xml));
        String relayState = request.getParameter("RelayState");
        String redirect = UriComponentsBuilder
                .fromUriString(relyingParty.getIdpWebSsoUrl())
                .queryParam("SAMLRequest", UriUtils.encode(encoded, StandardCharsets.ISO_8859_1))
                .queryParam("RelayState", UriUtils.encode(relayState, StandardCharsets.ISO_8859_1))
                .build(true)
                .toUriString();
        return redirect;
    }

While this is probably a weird behavior from the ADFS, I think it would be better to avoid including the RelayState when there is no value.

What do you think about that ?

Have a nice day :)

Comment From: rwinch

@clemstoquart Thanks for trying the new SAML support and the report! It seems reasonable that if RelayState has no value for it to be omitted from the response. Would you be able to submit a PR for this?

Comment From: clemstoquart

@rwinch Yes I'll try to do that tomorrow :)

Comment From: blucas

@fhanik Will this bugfix be backported to 5.2.2?

Comment From: jzheaux

@blucas this has been backported via https://github.com/spring-projects/spring-security/issues/8070