Describe the bug
Relay Status is optional value so if it is not provided or empty value, it doesn't need to be in signing calculation
To Reproduce
# in org.springframework.security.saml2.provider.service.web.authentication.OpenSamlAuthenticationRequestResolver#resolve(HttpServletRequest(HttpServletRequest, BiConsumber)
....
Map<String, String> parameters = OpenSamlSigningUtils.sign(registration)
.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded)
.param(Saml2ParameterNames.RELAY_STATE, relayState).parameters();
builder.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG))
.signature(parameters.get(Saml2ParameterNames.SIGNATURE));
Expected behavior
# L177 in org.springframework.security.saml2.provider.service.web.authentication.OpenSamlAuthenticationRequestResolver
...
.param(Saml2ParameterNames.RELAY_STATE, relayState).parameters();
should be included optionally when it is not empty or null.
Comment From: marcusdacoregio
Hi, @fr2lancer, thanks for the report. Is the empty relay state property causing you problems with the signature?
Comment From: fr2lancer
Hi. Thanks for the reply.
Yes it has caused auth request signing mismatch error with Azure.
Comment From: marcusdacoregio
Is there any reason why you do not want to add the relay state parameter? I'm just trying to understand your use case.
Comment From: fr2lancer
Hi. just existing code didn't send relaystate when you log in, while it sent it when registration..
Comment From: marcusdacoregio
Hi, @fr2lancer. I don't think I follow exactly what you meant in your last comment, can you elaborate more on that?
Do you mean that if RelayState is null then we should not consider it as a signature component?
Comment From: fr2lancer
Hi
the example is
AuthRequest=AAA -> (no RelayState) this is data what my app send to IDP so this string is to be calculated in sign
however in the current logic,
AuthRequest=AAA&RelayState= is used to calculated in the signing. even RelayState value is not providided.
So it causes mismatch.