samlify icon indicating copy to clipboard operation
samlify copied to clipboard
verified publisher icon tngan

Why is the relayState attribute a part of EntitySettings?

Open osuvaldo90 opened this issue 7 years ago • 11 comments

Perhaps it is my misunderstanding of the SAML protocol but it seems as if it would make more sense to have relayState as a parameter to createLoginRequest().

osuvaldo90 avatar Feb 02 '18 00:02 osuvaldo90

@osuvaldo90 I quickly review the code, in fact, right now you can pass the relayState in the entity constructor.

const sp = serviceProvider({
  relayState: ...
});

tngan avatar Feb 02 '18 08:02 tngan

Thanks @tngan. My concern is mainly with using RelayState to communicate back to my service provider what the user wanted to do before being redirected to the identity provider. The fact that relayState has to be specified in the ServiceProvider constructor means I have to create a new instance of ServiceProvider for every request which involves parsing the XML metadata. While the XML is small it seems wasteful and potentially inefficient to do this for every request with a large enough number of requests per second.

Additionally, I began working on a solution to #157 and encountered the following TypeScript error when attempting to pass in relayState to the ServiceProvider constructor:

Object literal may only specify known properties, and 'relayState' does not exist in type 'ServiceProviderSettings'.

const sampleRelayState = 'SampleRelayState'

const spNoAssertSignCustomConfig = serviceProvider({
  ...defaultSpConfig,
  metadata: spmetaNoAssertSign,
  signatureConfig: {
    prefix: 'ds',
    location: { reference: '/samlp:Response/saml:Issuer', action: 'after' },
  },
  relayState: sampleRelayState
});

osuvaldo90 avatar Feb 02 '18 18:02 osuvaldo90

The SAML 2.0 Wikipedia page seems to imply that RelayState is certainly a property of the login request and response flow rather than the ServiceProvider as a whole.

osuvaldo90 avatar Feb 02 '18 18:02 osuvaldo90

@osuvaldo90

Sorry for the late reply. Thanks for catching this. Yes, it would be good to move it into request level instead of entity level.

tngan avatar Feb 14 '18 08:02 tngan

I monkey patch the entitySetting prior to the call (to avoid recreating the sp object), is there any implications on doing this as a workaround?

sp.entitySetting.relayState = "http://example.com";
sp.createLoginRequest(idp, 'redirect');

(omitted code for restoring relayState value)

Would a change to move this to a parameter for createLoginRequest instead be a good entry-level feature for a contributor?

Thanks!

eliasson avatar Aug 02 '18 08:08 eliasson

@eliasson Yes, this is a mistake when I have designed the interface. I will find a way to put it back to request level.

tngan avatar Aug 03 '18 10:08 tngan

I was just looking for a way to pass a returnurl to the login request and the relay state seems like what people use. Is there any progress on this since the last comment? I assume it’s not an easy fix

perbergland avatar Aug 24 '19 15:08 perbergland

@tngan Is there any progress on this issue?

ghost avatar May 09 '20 07:05 ghost

Do you need help implementing this ?

ABitShift avatar Feb 15 '23 10:02 ABitShift

@ABitShift Yes, feel free to submit a PR, thanks for recalling this.

tngan avatar Feb 15 '23 10:02 tngan