Returning to original target after NoPassive "error"
Cantor, Scott
cantor.2 at osu.edu
Tue Nov 20 18:26:09 EST 2012
On 11/20/12 5:28 PM, "Christopher Bongaarts" <cab at umn.edu> wrote:
>When using isPassive, if you use a SessionInitiator with a target URL
>(e.g. /Shibboleth.sso/Login?target=...) it works if the login succeeds
>(i.e. the user has already authenticated and SSO kicks in). If it
>fails, the redirectErrors URL is invoked, but I didn't see the target
>URL show up anywhere.
The code is supposed to be turning RelayState back into the URL before it
passes along the error, so the RelayState parameter in the redirect is
supposed to have the URL in it. If not, file a bug, I'll see if I can
reproduce.
The other trick is that I added an ignoreNoPassive option that lets it
detect that status code from the IdP and just pass control back to the
resource, no error.
That unforunately is one of the few special settings that I added to the
old <AssertionConsumerService> elements from the pre-2.4 days. I didn't
have a good way to carry those forward but I've been trying to find all of
them in the docs and get them handled in the next patch, this is another
one I missed.
It's documented:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAssertionConsu
merService
See under SAML 2.0.
-- Scott
More information about the users
mailing list