Minor According to SAML specification
E1: Relay State for HTTP Redirect
Change [SAMLBind] Section 3.4.3 at lines 551-553 to reflect the fact that, indeed, the RelayState parameter is covered by the query string signature described in Section 3.4.4.1 (DEFLATE encoding). Note that Section 3.5.3, which has similar original wording, remains correct for its case.
Original:
RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message. Signing is not realistic given the space limitation, but because the value is exposed to third-party tampering, the entity SHOULD insure that the value has not been tampered with by using a checksum, a pseudo-random value, or similar means.New:
RelayState data MAY be included with a SAML protocol message transmitted with this binding. The value MUST NOT exceed 80 bytes in length and SHOULD be integrity protected by the entity creating the message, either via a digital signature (see Section 3.4.4.1) or by some independent means.
However, because the relayStore parameter is used to save the path to a document, it can currently exceed this limit. For instance
nxpath/default/default-domain/Ancien%20Colibri/78661/61101/8/16@view_documents?tabIds=%3A&old_conversationId=0NXMAIN
This produces warnings like
WARN [http-bio-10.10.18.232-13861-exec-1320] [org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder] Relay state exceeds 80 bytes, some application may not support this.