0

I am trying to set up SAML and I've used SimpleSAMLphp for both my service provider and my identity provider. So now to test my service provider, I set up ssocircle to use as an alternative identity provider. The problem I'm having is that no matter what I do, it redirects to / instead of the RelayState (which SimpleSAMLphp uses to redirect at the end). Is there any part of the standard that addresses this? Should it always redirect to / or is ssocircle ignoring my parameters when it shouldn't be?

<a href="https://idp.ssocircle.com/sso/idpssoinit?metaAlias=%2Fpublicidp&spEntityID=https://myServer/simplesaml/module.php/saml/sp/metadata.php/sp2&RelayState=https://myServer/SAMLHandler.php?idp=2&destination=https://myServer/SAMLHandler.php?idp=2">Log in with ssocircle</a>

Based on the answers I changed it to the following, but I'm still seeing the same results.

<a href="https://idp.ssocircle.com/sso/idpssoinit?metaAlias=%2Fpublicidp&RelayState=https%3A%2F%2FmyServer%2FSAMLHandler.php%3Fidp%3D2&spEntityID=https%3A%2F%2FmyServer%2Fsimplesaml%2Fmodule.php%2Fsaml%2Fsp%2Fmetadata.php%2Fsp2">Log in with ssocircle</a>

Here are the order of links my browser sees:

https://idp.ssocircle.com/sso/hos/AdPage.jsp?returnUrl=/sso/idpssoinit&metaAlias=%2Fpublicidp&RelayState=https%3A%2F%2FmyServer%2FSAMLHandler.php%3Fidp%3D2&spEntityID=https%3A%2F%2FmyServer%2Fsimplesaml%2Fmodule.php%2Fsaml%2Fsp%2Fmetadata.php%2Fsp2

Then I click a box that says I'm not a robot. They don't believe me so I have to pick some images. Then it lets me continue.

https://idp.ssocircle.com/sso/idpssoinit?metaAlias=%2Fpublicidp&spEntityID=https%3A%2F%2FmyServer%2Fsimplesaml%2Fmodule.php%2Fsaml%2Fsp%2Fmetadata.php%2Fsp2&relayState=https%3A%2F%2FmyServer%2FSAMLHandler.php%3Fidp%3D2&g-recaptcha-response=03AOP2lf7g9SbzDz_d3YQ7s-RpbtUTdlIntJ8PCr-jHHK97Wmua4xHYOzk0jwRbbzbPUJnigOjEoCDib4LTcacS_0rd0rSvEve2JBZoDh5BxKHOFXae2Eht_ZYK2mOG6tS3VEwXxbM4u7Bgc3l3OY3tan2cRenS1aUcHQHggvlr32Jd5POg5a1wHm5cPx-AhdnRZZC3X-8pU1VSgjq4w1IqNBmCRCPICPOGWdnLrdab0-VOIV0NYkMFS66kUUFb69sTAASudJNZUds-6IFtmT2uqxBcMqAw25MrVUUj1q7LUl5E7t79lqW9zRhXc94TvsBJcrI1pEEWghK

And finally

https://myServer/

Although if I put a die() call in my AssertionConsumerService, it does die. Then if I print the $_REQUEST there is no RelayState.

Andrew
  • 1,571
  • 17
  • 31

2 Answers2

1

SAML and SSOCircle IDP supports the RelayState parameter. It will be sent alongside the SAMLResponse message as a POST parameter. Please make sure the parameters are properly URL encoded.

Update: For free SSOCircle accounts the IDP redirects to an additional captcha page. During the redirects the value of the RelayState was lost at the server. The issue is now fixed. The behavior could not be observed with paid subscription accounts as these users are not redirected to the captcha page.

Hos
  • 447
  • 4
  • 11
  • 1
    I've updated the question with the URLs my browser goes to. I changed the url encoding and see no difference. – Andrew Apr 13 '17 at 21:39
  • Fixing the url encoding and the detailed flow description helped to tackle the problem. It looks like the parameter gets lost in the captcha handling. My test was based on a paid subscription account which skips the "no robot" interception. Anyway please try again, it worked for me now. – Hos Apr 14 '17 at 08:48
  • Aha! I am getting RelayState back now! I'm still not getting redirected, but that must be on my side since I'm actually getting the param now. I suspect you are some kind of ssocircle developer... – Andrew Apr 14 '17 at 15:34
  • Yup, it's working now! Thank you! Do you want to add another answer or edit this one so I can give you the ol' check mark? – Andrew Apr 14 '17 at 15:55
  • Hi @Hos, I'm getting this same issue here without a paid subscription. Has this issue returned? – JianYA Mar 16 '18 at 03:56
0

urlencode to the rescue; how would a browser differentiate between parameters that are part of the RelayState URL or parameters being part of the SAML request itself

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • So I've changed it to `Log in with ssocircle` and I'm seeing the same result, a redirect to / – Andrew Apr 13 '17 at 20:50
  • well, the spEntityID is not urlencoded and hence it is not clear wether the RelayState parameter belongs to the URL or to the spEntityID parameter value; by default the former would be the case though; just making sure url-encoding is entirely correct – Hans Z. Apr 13 '17 at 21:15
  • I believe it's supposed to be separate, which is how it would be treated in the original url right? So why wouldn't it work? – Andrew Apr 13 '17 at 21:31