Sunday, October 9, 2011

com.bea.security.saml2.service.SAML2Exception: [Security:096575]The URL for relay state too long

In IdP initiated SSO, you might have a jsp/html resource at IdP end where SP services are defined having  similar form snippet:

<input type="hidden" name="SPName" value="<%=spname%>"
<input type="hidden" name="RequestURL" value="<%=requestURL%>"
<input type="hidden" name="param1" value="<%=value1%>"
<input type="hidden" name="param2" value="<%=value2%>"
<input type="hidden" name="param3" value="<%=value3%>"


However you are getting following exception whenever SP service is invoked from above jsp/html:

####<Sep 29, 2011 2:01:14 PM IST> <Debug> <SecuritySAML2Service> <MyMac> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1311113162898> <BEA-000000> <exception info
com.bea.security.saml2.service.SAML2Exception: [Security:096575]The URL for relay state too long.
at com.bea.security.saml2.service.sso.SSOServiceProcessor.doInitiator(SSOServiceProcessor.java:284)
at com.bea.security.saml2.service.sso.SSOServiceProcessor.process(SSOServiceProcessor.java:97)
at com.bea.security.saml2.service.sso.SingleSignOnServiceImpl.process(SingleSignOnServiceImpl.java:50)
at com.bea.security.saml2.cssservice.SAML2ServiceImpl.process(SAML2ServiceImpl.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.utils.ThreadClassLoaderContextInvocationHandler.invoke(ThreadClassLoaderContextInvocationHandler.java:26)
at $Proxy28.process(Unknown Source)


Even after confirming the request URL is well within 80 bytes, you are puzzled what is going wrong? Well, RequestURL is well below 80 bytes. However, the RelayState is constructed such that:

RelayState=RequestURL+"?"
+"&"+param1+"="+value1
+"&"+param2+"="+value2
+"&"+param3+"="+value3
.....
+"&"+paramn+"="+valuen

This way, the RelayState might easily exceed 80 bytes.

Unfortunately, we cannot workaround this issue. This 80 byte constraint is put by SAML2 specs rather than WebLogic. An extract from SAML2 Bind specs(http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf):
=========================
3.4.3 RelayState
"RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value
MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the
message independent of any other protections that may or may not exist during message transmission.
Signing is not realistic given the space limitation, but because the value is exposed to third-party
tampering, the entity SHOULD ensure that the value has not been tampered with by using a checksum, a
pseudo-random value, or similar means."
=========================


The way forward would be to add lesser parameters that go from IdP to SP, or add these as attributes into the assertion. In this case, we have to write an attribute mapper(which is a kind of user plugin) to get attributes into the assertion. And if you are using WebLogic 10.3.4, it is possible to write this plugin as it is supported from 10.3.4 onwards. However there is nothing, I believe, that can be done on pre-wls 10.3.4

No comments:

Post a Comment