You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am currently experiencing an error in my service provider, when signing in. Specifically when the middleware is processing a RelayState-parameter:
System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
at System.Convert.FromBase64String(String s)
at Saml2.Authentication.Core.Extensions.SamlStringExtensions.DeflateDecompress(String value)
at Saml2.Authentication.Core.Bindings.HttpRedirectBinding.GetResponse()
at Saml2.Authentication.Core.Services.SamlService.ReceiveHttpRedirectAuthnResponseAsync(String initialRequestId)
at Saml2.Authentication.Core.Authentication.Saml2Handler.HandleSignIn()
at Saml2.Authentication.Core.Authentication.Saml2Handler.HandleRequestAsync()
After comparing the SAML2 implementation to the standard, I found a possible discrepancy.
The code calls the DeflateDecompress() on RelayState, which is implemented to deflate and thereby base64-decode the value:
However, looking in the SAML2 standard I see the following:
3.6.3.2 URL Encoding
...
If a “RelayState” value is to accompany the SAML artifact, it MUST be URL-encoded and placed in an
additional query string parameter named RelayState.
3.6.3.3 Form Encoding
...
If a “RelayState” value is to accompany the SAML artifact, it MUST be placed in an additional hidden form
control named RelayState, within the same form with the SAML message
Only the SAMLResponse is mentioned in the standard to be base64-encoded, not the separate RelayState-parameter in the query/formbody. (Note that there can also be a separate RelayState-parameter inside the SAMLResponse, which is of cause implicitly base64-encoded)
I would love some input on this, since I am not that familiar with SAML, and I might have missed something in the standard.
The text was updated successfully, but these errors were encountered:
I am currently experiencing an error in my service provider, when signing in. Specifically when the middleware is processing a
RelayState-parameter:After comparing the SAML2 implementation to the standard, I found a possible discrepancy.
The code calls the
DeflateDecompress()onRelayState, which is implemented to deflate and thereby base64-decode the value:Saml2.Authentication.Core/Source/Saml2.Authentication.Core/Bindings/HttpRedirectBinding.cs
Line 110 in 23b6dc9
However, looking in the SAML2 standard I see the following:
Only the
SAMLResponseis mentioned in the standard to be base64-encoded, not the separateRelayState-parameter in the query/formbody. (Note that there can also be a separateRelayState-parameter inside theSAMLResponse, which is of cause implicitly base64-encoded)I would love some input on this, since I am not that familiar with SAML, and I might have missed something in the standard.
The text was updated successfully, but these errors were encountered: