Saml2.Authentication.Core icon indicating copy to clipboard operation
Saml2.Authentication.Core copied to clipboard
verified publisher icon jkmu

Base64 decoding of RelayState

Open samolesen opened this issue 3 years ago • 0 comments

I am currently experiencing an error in my service provider, when signing in. Specifically when the middleware is processing a RelayState-parameter:

System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters. at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength) at System.Convert.FromBase64String(String s) at Saml2.Authentication.Core.Extensions.SamlStringExtensions.DeflateDecompress(String value) at Saml2.Authentication.Core.Bindings.HttpRedirectBinding.GetResponse() at Saml2.Authentication.Core.Services.SamlService.ReceiveHttpRedirectAuthnResponseAsync(String initialRequestId) at Saml2.Authentication.Core.Authentication.Saml2Handler.HandleSignIn() at Saml2.Authentication.Core.Authentication.Saml2Handler.HandleRequestAsync()

After comparing the SAML2 implementation to the standard, I found a possible discrepancy. The code calls the DeflateDecompress() on RelayState, which is implemented to deflate and thereby base64-decode the value: https://github.com/jkmu/Saml2.Authentication.Core/blob/23b6dc9b32d8e7f147236af337c904ad0441e1e1/Source/Saml2.Authentication.Core/Bindings/HttpRedirectBinding.cs#L110

However, looking in the SAML2 standard I see the following:

3.6.3.2 URL Encoding ... If a “RelayState” value is to accompany the SAML artifact, it MUST be URL-encoded and placed in an additional query string parameter named RelayState.

3.6.3.3 Form Encoding ... If a “RelayState” value is to accompany the SAML artifact, it MUST be placed in an additional hidden form control named RelayState, within the same form with the SAML message

Only the SAMLResponse is mentioned in the standard to be base64-encoded, not the separate RelayState-parameter in the query/formbody. (Note that there can also be a separate RelayState-parameter inside the SAMLResponse, which is of cause implicitly base64-encoded)

I would love some input on this, since I am not that familiar with SAML, and I might have missed something in the standard.

samolesen avatar Aug 19 '22 11:08 samolesen