SAML RelayState is not refreshed
Concerned version
Version: %2.0.13
Platform: Nginx
Summary
SAML RelayState sends by SP is not refreshed by LLNG when received. Then if two SSO Auth requests from the same browser are executed the second will be answered by the SSO with a false relaystate.
Reproducing (your SP must use a unique id as relaystate):
- Open a tab. Go to your SP and click to connect. (SAML auth request is sent with relaystate=AAAAAA)
- You are redirected to LLNG. Do not log on
- Go back to your SP and click to connect.
- You are redirected to LLNG. Log on. (SAML auth request is sent with relaystate=BBBBBB)
- SSO SAML answer uses a wrong relaystate (it uses the relaystate AAAAAAA sends in the first auth request instead of BBBBBB)
Logs
No particular logs, but the SP sees it as a SAML replay attack
Possible fixes
Refreshing stored request or using cookie ?