fix: restore previous behaviour for handling RelayState in SAML (#1469)

precious · nijel · commit 78e522a9607e · 2025-12-17T11:55:29.000+01:00
diff --git a/social_core/backends/saml.py b/social_core/backends/saml.py
@@ -398,6 +398,22 @@ def get_user_id(self, details, response) -> str:
         uid = idp.get_user_permanent_id(response["attributes"])
         return f"{idp.name}:{uid}"
 
+    def parse_relay_state(self, relay_state_str: str) -> dict:
+        """Parse RelayState JSON or simple string into a dict"""
+        try:
+            relay_state: dict = json.loads(relay_state_str)
+        except json.JSONDecodeError:
+            # this is for backward compatibility; also some identity providers
+            # (like Okta) send a simple string with the IdP name in RelayState
+            # during IdP-initiated SSO:
+            relay_state = {"idp": relay_state_str}
+
+        # Validate that the data is dict
+        if not isinstance(relay_state, dict):
+            raise AuthInvalidParameter(self, "RelayState")
+
+        return relay_state
+
     def auth_complete(self, *args, **kwargs):
         """
         The user has been redirected back from the IdP and we should
@@ -409,15 +425,7 @@ def auth_complete(self, *args, **kwargs):
         except KeyError:
             idp_name = None
         else:
-            # Parse RelayState JSON
-            try:
-                relay_state: dict = json.loads(relay_state_str)
-            except json.JSONDecodeError as error:
-                raise AuthInvalidParameter(self, "RelayState") from error
-
-            # Validate that the data is dict
-            if not isinstance(relay_state, dict):
-                raise AuthInvalidParameter(self, "RelayState")
+            relay_state = self.parse_relay_state(relay_state_str)
 
             # Get IdP name
             idp_name = relay_state.get("idp")
diff --git a/social_core/tests/backends/test_saml.py b/social_core/tests/backends/test_saml.py
@@ -16,7 +16,7 @@
 except ImportError:
     SAML_MODULE_ENABLED = False
 
-from social_core.exceptions import AuthInvalidParameter, AuthMissingParameter
+from social_core.exceptions import AuthMissingParameter
 
 from .base import BaseBackendTest
 
@@ -118,14 +118,13 @@ def test_login_with_legacy_relay_state(self) -> None:
         """
         Test that we handle legacy RelayState (i.e. just the IDP name, not a JSON object).
 
-        This is the form that RelayState had in prior versions of this library.
-        It is no longer supported and fails with invalid parameter.
+        This is the form that RelayState had in prior versions of this library. It should be supported for backwards
+        compatibility. It is also sent by some identity providers (like Okta) on IdP-initiated login.
         """
         self.response_fixture = "saml_response_legacy.txt"
 
         self.strategy.set_request_data({"idp": "testshib"}, self.backend)
-        with self.assertRaises(AuthInvalidParameter):
-            self.do_login()
+        self.do_login()
 
     def test_login_no_idp_in_initial_request(self) -> None:
         """
