Base64 decoding of RelayState #25
Description
I am currently experiencing an error in my service provider, when signing in. Specifically when the middleware is processing a RelayState-parameter:
System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
at System.Convert.FromBase64String(String s)
at Saml2.Authentication.Core.Extensions.SamlStringExtensions.DeflateDecompress(String value)
at Saml2.Authentication.Core.Bindings.HttpRedirectBinding.GetResponse()
at Saml2.Authentication.Core.Services.SamlService.ReceiveHttpRedirectAuthnResponseAsync(String initialRequestId)
at Saml2.Authentication.Core.Authentication.Saml2Handler.HandleSignIn()
at Saml2.Authentication.Core.Authentication.Saml2Handler.HandleRequestAsync()
After comparing the SAML2 implementation to the standard, I found a possible discrepancy.
The code calls the DeflateDecompress() on RelayState, which is implemented to deflate and thereby base64-decode the value:
However, looking in the SAML2 standard I see the following:
3.6.3.2 URL Encoding
...
If a “RelayState” value is to accompany the SAML artifact, it MUST be URL-encoded and placed in an
additional query string parameter named RelayState.
3.6.3.3 Form Encoding
...
If a “RelayState” value is to accompany the SAML artifact, it MUST be placed in an additional hidden form
control named RelayState, within the same form with the SAML message
Only the SAMLResponse is mentioned in the standard to be base64-encoded, not the separate RelayState-parameter in the query/formbody. (Note that there can also be a separate RelayState-parameter inside the SAMLResponse, which is of cause implicitly base64-encoded)
I would love some input on this, since I am not that familiar with SAML, and I might have missed something in the standard.