Skip to content

Make SAML relayState max length configurable #6381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Make SAML relayState max length configurable #6381

wants to merge 1 commit into from

Conversation

@minwoox
Copy link
Contributor

@minwoox minwoox commented Sep 2, 2025
edited
Loading

Motivation:
The default SsoHandler currently omits relayState when its length exceeds 80 characters. Although the SAML spec defines an 80-character limit, many implementations do not strictly enforce it, and this restriction is often too tight in practice.

References:

Modifications:

  • Introduced SamlServiceProviderBuilder.relayStateMaxLength() to configure the maximum length.

Result:

  • You can override the default 80-character restriction for SAML relayState.

@minwoox
Motivation:
cad16c6 
The default `SsoHandler` currently omits `relayState` when its length exceeds 80 characters.
Although the SAML spec defines an 80-character limit, many implementations do not strictly enforce it,
and this restriction is often too tight in practice.

References:
- https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
- https://help.salesforce.com/s/articleView?id=000387925&type=1

Modifications:
- Introduced `SamlServiceProviderBuilder.relayStateMaxLength()` to configure the maximum length.

Result:
- You can override the default 80-character restriction for SAML relayState.
@minwoox minwoox added this to the 1.34.0 milestone Sep 2, 2025
@minwoox minwoox requested a review from ikhoon as a code owner September 2, 2025 05:21
minwoox
minwoox commented Sep 2, 2025
View reviewed changes
saml/src/main/java/com/linecorp/armeria/server/saml/HttpRedirectBindingUtil.java
// The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity
// creating the message independent of any other protections that may or may not exist
// during message transmission.
if (relayState.length() > 80) {
Copy link
Contributor Author

@minwoox minwoox Sep 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to check the relayState length here because it's not set in the default SsoHandler if it exceeds 80 characters, so let me just remove this condition.
Additionally, we were not checking this limit in the post binding, even though the Spec says it should.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 2, 2025

🔍 Build Scan® (commit: cad16c6)

Job name Status Build Scan®
build-ubicloud-standard-16-jdk-8 https://ge.armeria.dev/s/3zwjvsvegy3lc
build-ubicloud-standard-16-jdk-21-snapshot-blockhound https://ge.armeria.dev/s/vdpvznv5ndlue
build-ubicloud-standard-16-jdk-17-min-java-17-coverage ❌ (failure) https://ge.armeria.dev/s/kmmwy2cgscyzg
build-ubicloud-standard-16-jdk-17-min-java-11 https://ge.armeria.dev/s/4i7ghrt76z4zs
build-ubicloud-standard-16-jdk-17-leak https://ge.armeria.dev/s/cjbzwu46rs3yc
build-ubicloud-standard-16-jdk-11 https://ge.armeria.dev/s/5xb2iguiia4l6
build-macos-latest-jdk-21 ❌ (failure) https://ge.armeria.dev/s/pnrtog4irbude

@minwoox minwoox changed the title Motivation: Make SAML relayState max length configurable Sep 2, 2025
ikhoon
ikhoon approved these changes Sep 2, 2025
View reviewed changes
Copy link
Contributor

@ikhoon ikhoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 👍

@minwoox minwoox mentioned this pull request Sep 5, 2025
Merged
@github-actions github-actions bot added the Stale label Oct 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikhoon ikhoon ikhoon approved these changes

@jrhee17 jrhee17 jrhee17 approved these changes

@trustin trustin Awaiting requested review from trustin trustin is a code owner

Assignees

No one assigned

Labels

improvement Stale

Projects

None yet

Milestone

1.34.0

Development

Successfully merging this pull request may close these issues.

3 participants

@minwoox @ikhoon @jrhee17