Dealing with links embedded in Excel

Wessel, Keith William kwessel at illinois.edu
Wed Sep 28 18:27:09 BST 2011 

Hi,Michael,

Yes, this is a Microsoft issue, not a Shib issue. We've even seen it in our legacy SSO (non-Shib) setup. Microsoft tries to pass the blame to the SSO in this KB article:


http://support.microsoft.com/kb/899927

But at least they consider it to be a known issue.

There is a registry hack that will tell Ofice apps to open the link in the browser and not Office. It's not ideal, though, since it does meana registry modification.

Good luck, and if anyone's found another way around this, I'd love to hear about it, too.

Keith



From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of McDermott, Michael
Sent: Wednesday, September 28, 2011 12:13 PM
To: Shib Users
Subject: Dealing with links embedded in Excel

Dear Shib Users,
A crafty user has created a report that generates an excel file which will display a list of errors for their problem domain and a link to the specific record in the web application that manages that domain.  The application is protected by shibboleth.  All of the individual links work, they just do not work in when clicking them in Excel in Windows.

It seems that this problem is documented:
http://shibboleth.1660669.n2.nabble.com/links-in-Microsoft-office-break-shibboleth-login-td5186632.html

https://groups.google.com/group/shibboleth-users/browse_thread/thread/f5947a2e99fff37e/11b670f90f9cd550?lnk=gst&q=word+link+problem&pli=1#11b670f90f9cd550

After some debugging, this is clearly an Excel problem, the root of which seems to be that Excel makes the initial http call and does not invoke the browser until it gets an http 200 response code (and in a normal interaction there would be a few redirects before you get to the login page).  The effect is that the user's browser arrives at the Shibboleth IdP login screen, not knowing which SP this request is for and so the process fails after login.  I have tried to work through this with both SP and IdP initiated AuthN and since they both use redirects, the error is the same.

On the surface it seems like there is a problem with Shibboleth, particularly since a diligent, non technical user will paste the link into their browser to confirm it works at all before calling.

As in the preceding posts, I do not have a work around in Excel (e.g. a way to make Excel open the browser and then pass in the link), so if someone does, please let me know.

At the very least this might server as a warning to others that this issue exists and your IdP works fine.

--
Michael J. McDermott
Lead Developer, Identity and Access Management
Brown University

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110928/d2d6a743/attachment-0001.html

More information about the users mailing list