Is it possible to have the proxy go to a URL (Relaystate)? about saml-auth-proxy HOT 9 CLOSED

RelayState is generated by the SAML library and is it a Base64 encoding of a random 42 bytes. What kind of number are you observing?

In any case, RelayState seems to be limited to 80 bytes: https://github.com/crewjam/saml#relaystate . Would that be enough space to store a URL?

Apparently I have very few logs that report at debug level, which is why it looked like that wasn't working.

from saml-auth-proxy.

Hi,

Thanks for responding!

We haven't actually seen the number, but we were looking at your code and noticed that it was using a random number.

We have been working with SAML stuff for quite awhile (with Oracle products) and actually I wasn't aware of using the random number (we've always used URLs for the RelayState), but I did find one of the PING pages explaining the random number.

And yes, 80 chars would be enough for the URLs that we are working with, but I think one of my colleagues is reviewing the random number thing.

We have been trying to get your SAML proxy working in a test scenario using Oracle OAM for the authentication, and our tests have been failing, and the Oracle stuff hasn't produced much information about why it is failing, so when we noticed that your proxy populates the RelayState with a random number (which is NOT URL-formatted), we think that might be causing the failure (I am pretty sure the Oracle federation software validates the URL to conform with Java URL format) and probably when it is trying to "parse the random number", it is returning empty parts of what it thinks are URL parts, and then is causing a NullPointException.

So while we will look into random numbers, we wanted to try to do a quick confirmation about whether our guess about what the problem is (the random number, vs. a URL) so I was hoping that the proxy might have a parameter that would set it to allow a URL for the "-backend-url " parameter.

So if there is/was a way to quickly set up a test with a URL to see if that eliminates the error we are seeing, that would be nice (we don't do a lot of GO development, but one of tried to build from your source and got some kind of error).

Thanks again for responding!

Jim

from saml-auth-proxy.

Yeah, let me see how easily I could get a parameter in there for that option.

from saml-auth-proxy.

With 1.10.0 you can now add --static-relay-state with the URL string. I'm not sure how to test it very much, but I did see the value I gave come back in the network trace.

from saml-auth-proxy.

Hi,
Thanks - so with 1.10.0, do we use the new parameter and don't use the "-backend-url" parameter?

Pls advise.

Thanks,
Jim

from saml-auth-proxy.

(Can you confirm that I should remove the "backend-url" parameter and add the "static-relay-state" parameter?)

ALSO in your message above you had TWO DASHES in front of the "static-relay-state" parameter? Should that have ONE DASH? Or TWO DASHES?

I just did a test. For the SAML proxy, I REMOVED the "-backend-url" parameter and ADDED "-static-relay-state" to the parameters and then did a request to the SAML Proxy URL/end point, http://:8080.

This caused a request to be sent to the Oracle OAM federation endpoint, which caused a cert popup

I selected a good cert, and then I ended up on a not-so-helpful "blue" OAM error page:

"System error. Please re-try your action. If you continue to get this error, please contact the Administrator."

The AuthnRequest that is being sent to OAM is something like:

<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="id-d769c5a38f601e31d0d37c5cc72aba89c516096f"
Version="2.0"
IssueInstant="2023-01-26T06:29:04.045Z"
Destination="https://<OAM_SERVER>/oamfed/idp/samlv20"
AssertionConsumerServiceURL="http://<THE_SAML_PROXY_HOST_PORT>/saml/acs"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://<THE_SAML_PROXY_HOST_PORT>/saml/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
AllowCreate="true"
/>
</samlp:AuthnRequest>

The problem I am having at this point is that there is no logging output by OAM or by the saml proxy.

I think this IS different from the test with the .09 version of the SAML Proxy (better, I think), where we were getting some other error page, not from OAM, but I cannot identify the problem.

We are going to have to figure out why OAM is not outputting more logging and will let you know.

Thanks,
Jim

from saml-auth-proxy.

Hi,

So it looks like they figured out what the problem was and are able to go back to your original functionality for the RelayState.

There were apparently some additional configuration on OAM side that they needed to complete to get it to work.

Thank you very much for your help!

Jim

from saml-auth-proxy.

Excellent.

To answer your earlier question, you will need to declare both backend URL and the static relay state. The latter is just wanting any kind of string -- in your case you're needing a string that is a URL 😀.

Is it ok to close the issue now?

from saml-auth-proxy.

Oops. Sorry, yes, please go ahead and close this issue. FYI< we may have other scenarios where the relay state URL functionality may be of use in the future.

Thanks!

Also, they have encountered another problem (or maybe question). I will post a new issue in a bit, once I can gather more information.

Thanks again!

Jim

from saml-auth-proxy.