Fix BackURL redirect with strict or lax session cookie security.

Should fix silverstripe#45

src/Control/SAMLController.php

@@ -262,6 +262,14 @@ protected function getRedirect()
             return $this->redirect($this->getRequest()->getSession()->get('BackURL'));
         }
 
+        // In SAMLHelper, we pass the BackURL to be returned to us in RelayState.
+        // If only assertion is signed, RelayState cannot be trusted. Prevent open relay
+        // as in // https://github.com/SAML-Toolkits/php-saml#avoiding-open-redirect-attacks
+        $relayState = $this->owner->getRequest()->postVar('RelayState');
+        if ($relayState && Director::is_site_url($relayState)) {
+            $this->redirect($relayState);
+        }
+
         // Spoofing attack, redirect to homepage instead of spoofing url
         if ($back && !Director::is_site_url($back)) {
             return $this->redirect(Director::absoluteBaseURL());

src/Helpers/SAMLHelper.php

@@ -75,7 +75,7 @@ public function redirect(RequestHandler $requestHandler = null, HTTPRequest $req
         $additionalGetQueryParams = $this->getAdditionalGETQueryParameters();
 
         try {
-            $auth->login(Director::absoluteBaseURL() . 'saml/', $additionalGetQueryParams);
+            $auth->login($backURL, $additionalGetQueryParams);
         } catch (Exception $e) {
             /** @var LoggerInterface $logger */
             $logger = Injector::inst()->get(LoggerInterface::class);