Clarify the real nature of the RelayState parameter for SSO and SLO#316
Merged
pitbulk merged 2 commits intoSAML-Toolkits:masterfrom Jun 25, 2021
Merged
Conversation
In the most simple case, the RelayState may be used as a "returnUrl", but I think it's important to underline that the RelayState does not necessarily need to be a return URL. Indeed, the SAML 2.0 specification clarifies that a limit of max 80 characters exists for it (at least in the case of the HTTP-Redirect binding) and that a protection method against tampering is suggested. Therefore, a return URL in general would probably be a non-ideal use of the RelayState parameter, so let's give the latter the relevance it deserves.
ab7e4d7 to
3c79c8c
Compare
Contributor
|
I agree that 'returnUrl' was a simplistic way to handle the RelayState concept |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I know this might be considered an opinionated cosmetic change, but please read on the rationale behind this renaming.
In the most simple case, the RelayState may be used as a "returnUrl",
but I think it's important to underline that the RelayState does not
necessarily need to be a return URL. Indeed, the SAML 2.0 specification
clarifies that a limit of max 80 characters exists for it (at least
in the case of the HTTP-Redirect binding) and that a protection method
against tampering is suggested.
Therefore, a return URL in general would probably be a non-ideal use of
the RelayState parameter, so let's give the latter the relevance it
deserves.