Returning to original target after NoPassive "error"

Cantor, Scott cantor.2 at
Tue Nov 20 18:26:09 EST 2012

On 11/20/12 5:28 PM, "Christopher Bongaarts" <cab at> wrote:

>When using isPassive, if you use a SessionInitiator with a target URL
>(e.g. /Shibboleth.sso/Login?target=...) it works if the login succeeds
>(i.e. the user has already authenticated and SSO kicks in).  If it
>fails, the redirectErrors URL is invoked, but I didn't see the target
>URL show up anywhere.

The code is supposed to be turning RelayState back into the URL before it
passes along the error, so the RelayState parameter in the redirect is
supposed to have the URL in it. If not, file a bug, I'll see if I can

The other trick is that I added an ignoreNoPassive option that lets it
detect that status code from the IdP and just pass control back to the
resource, no error.

That unforunately is one of the few special settings that I added to the
old <AssertionConsumerService> elements from the pre-2.4 days. I didn't
have a good way to carry those forward but I've been trying to find all of
them in the docs and get them handled in the next patch, this is another
one I missed.

It's documented:

See under SAML 2.0.

-- Scott

More information about the users mailing list