Shibboleth Developers

["Cantor, Scott E." <>]

Andre brought this issue to my attention:

https://bugs.internet2.edu/jira/browse/SSPCPP-351

I downgraded it from "Security vulnerability" to bug, because it's not 
formally something that affects the SP's security, but I am interested in 
doing something to improve this.

I have a patch prepared right now that I've tested a bit that adds a pair of 
new Sessions properties:

relayStateLimit="exact|host|whitelist"
relayStateWhitelist="vhost vhost vhost"

This allows you to limit where the SP will redirect after SSO or logout, 
either to the exact same vhost as the handler itself, or to the same host 
(any scheme or port), or with an explicit whitelist of vhosts, which allows 
redirection off the SP to other systems by explicitly enabling that.
 
Originally I was considering coming up with separate options to control the 
behavior during SSO vs. Logout, but that got very confusing and I think 
"confusing"  is a bad direction to take with this kind of fix.

I don't plan to enable this by default in the next patch, mainly because it 
would affect use of the "return" parameter during logout, and I know people 
use that (I use it myself, e.g. with confluence).

Tentatively I'm considering enabling this with the "host" option in 2.5 or 
whatever comes next, but I'm also probably going to think about ways to 
simplify the "SSL or not" choice because the number of settings involved with 
limiting to SSL is getting out of hand.

-- Scott