2

My team is having a hard time to come up with a completely safe solution to transfer critical information through SAML RelayState. I hope you can give us some advice.

To give you a little bit of context, we are a Service Provider working with ~200 IdP and with the following specificity:

  • our system has many 'organization'
  • an account is defined by a pair of organization + credentials. Meaning a user can have an account on 'Organization A' and another account on 'Organization B'. It can be the same user, even using the same email address, but for our system, it's 2 completely different accounts
  • a single organization can connect to multiple IdP. For example we allow an organization to have an IdP for their employee and another IdP for their external consultants or whatever
  • we often have a single IdP shared by multiple Organization

Our problem: during the callback phase, how to know which Organization the user is trying to log into?

Until now, whenever we add a new IdP on our system, we would first generate a unique Service Provider for this IdP and add the SP's UID in its EntityID + Metadata URL + consumer service url.
By doing so, during the callback phase, we can easily find the IdP from the SP, and finally the Organization related to this IdP.

Obviously, this is not a sustainable solution. We had many (justified) complaints, mostly from Organization sharing the same IdP and Federations.

Our problem with RelayState: we have an Organization + IdP discovery system on our application. Meaning anyone can start an authentication flow with any IdP. Anyone could just start a flow with Organization A, copy the RelayState, start a flow with Organization B using an IdP they do have access, replace the RelayState with the one from Organization A and gain access to Organization A.

Do you think our system is deeply flawed? We thought about using the Issuer to verify the RelayState and we are making some tests, but I believe someone else has a similar experience and can lead us on the right way !

I know it's a lot of information, please let me know if anything is unclear.

Thank you!

dlcso
  • 21
  • 1
  • 1
    Secure the `RelayState`. Use checksum/pseudo-random value to validate and verify the `RelayState` with the `InResponseTo` value in the `SAMLResponse` sent by the IDP. – Akshay G Jan 10 '23 at 07:41

0 Answers0