We use Amplify with Cognito with logins, and have a federated identity provider that has reported that cognito sometimes includes line feed characters in generated SAML Requests. This is causing problems for them - They stated it is a security concern, however given that SAMLRequests from cognito are unsigned I imagine that they may be having difficulty parsing the value. I was not initially able to reproduce the issue, but I noticed that cognito seems to do this if the redirect is longer. (All the examples they sent had a redirect which was over 3000 characters long). Longer requests seem to be due to a larger than normal RelayState being included in the response.
So my question is 2 part:
- Is there a way to force cognito not to include line feed characters in the redirect?
- If not, is there a way to reduce the length of the RelayState (Given that this is a login, and that the RelayState is encrypted, I can't imagine what other data is being stored there.) Can amplify be used to clear the session? Will calling some sort of logout before logging in help here?
AWS 官方已更新 2 年前
