SAML / is RelayState required for signed logout request?

1
votes

I wish to confirm that RelayState is required for a valid signed SAML logout request.

We have federated Microsoft's ADFS 2012 R2 with Oracle's Identity Federation where ADFS is the SP and OIF is the IdP. As a basis, we followed Integrating ADFS 2.0/3.0 SP with OIF IdP.

Everything works, except logout. We have another SP doing a logout and working with OIF. One difference we've found is that ADFS is not sending a RelayState parameter with its signed logout request, but the other SP is. I've been using SAMLTool's Validate Logout Req, where I input the following:

  • SAML Logout Request
  • EntityId of the source
  • Target URL, Destination of the Logout Request
  • SigAlg
  • Signature of the SAML Logout Request
  • X.509 cert of the source (to check Signature)
  • Ignore timing issues: checked

That then gives me the error:

In order to check Signature you must provide the RelayState parameter and the X.509 cert

If I input RelayState along with my other values in SAMLTool's Validate Logout Req then it reports back that my signed logout request is valid.

In the case of ADFS, because it does not have a RelayState parameter, I cannnot get SAMLTool's Validate Logout Req to say that a logout from ADFS is valid.

All that said, I cannot find anywhere in the SAML spec that says RelayState is required for a signed logout request. Can anyone confirm that it is required and back it up with documentation?

2
single-sign-onsaml

2 Answers

3
votes

The LogoutRequest message would not have a reference to the RelayState parameter (as the other post suggests) but it is part of the so-called binding that is used to convey messages between SAML parties. Assuming that the Logout uses the HTTP-Redirect, HTTP-POST or Artifact binding, the spec allows for the sender to include a RelayState parameter and the receiver must then return that same RelayState parameter as a part of the response (as a way for the sender to keep state).

See section 3.4.3 RelayState of the SAML bindings document: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for the HTTP-Redirect binding:

3.4.3 RelayState

RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message independent of any other protections that may or may not exist during message transmission. Signing is not realistic given the space limitation, but because the value is exposed to third-party tampering, the entity SHOULD ensure that the value has not been tampered with by using a checksum, a pseudo-random value, or similar means. If a SAML request message is accompanied by RelayState data, then the SAML responder MUST return its SAML protocol response using a binding that also supports a RelayState mechanism, and it MUST place the exact data it received with the request into the corresponding RelayState parameter in the response. If no such value is included with a SAML request message, or if the SAML response message is being generated without a corresponding request, then the SAML responder MAY include RelayState data to be interpreted by the recipient based on the use of a profile or prior agreement between the parties

For the other bindings a similar section exists. So as @nzpcmad says: it's not mandatory to include it in a request.

0
votes

Reading SAMLv2 core spec "Single Logout Protocol" XML schema for the SAML LogoutRequestType

<element name="LogoutRequest" type="samlp:LogoutRequestType" />
<complexType name="LogoutRequestType">
    <complexContent>
        <extension base="samlp:RequestAbstractType">
            <sequence>
                <choice>
                    <element ref="saml:BaseID" />
                    <element ref="saml:NameID" />
                    <element ref="saml:EncryptedID" />
                </choice>
                <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded" />
            </sequence>
            <attribute name="Reason" type="string" use="optional" />
            <attribute name="NotOnOrAfter" type="dateTime" use="optional" />
        </extension>
    </complexContent>
</complexType>
<element name="SessionIndex" type="string" />

does not mention the RelayState Element. The "Single Logout Profile" in the SAMLv2 profile spec does also not mention RelayState.

I would say this suggests that RelayState (which is a request parameter, so can only be used in a front-channel binding) is not mandatory.