Returning to original target after NoPassive "error"

Christopher Bongaarts cab at
Wed Nov 21 15:44:09 EST 2012

On 11/20/2012 5:26 PM, Cantor, Scott wrote:
> On 11/20/12 5:28 PM, "Christopher Bongaarts" <cab at> wrote:
>> When using isPassive, if you use a SessionInitiator with a target URL
>> (e.g. /Shibboleth.sso/Login?target=...) it works if the login succeeds
>> (i.e. the user has already authenticated and SSO kicks in).  If it
>> fails, the redirectErrors URL is invoked, but I didn't see the target
>> URL show up anywhere.
> The code is supposed to be turning RelayState back into the URL before it
> passes along the error, so the RelayState parameter in the redirect is
> supposed to have the URL in it. If not, file a bug, I'll see if I can
> reproduce.

I see it now (actually comes over as RelayState).  I documented it on 
the NativeSPErrors wiki page, and noticed it was already in the example 

> The other trick is that I added an ignoreNoPassive option that lets it
> detect that status code from the IdP and just pass control back to the
> resource, no error.

That could make things much easier!

> That unforunately is one of the few special settings that I added to the
> old <AssertionConsumerService> elements from the pre-2.4 days. I didn't
> have a good way to carry those forward but I've been trying to find all of
> them in the docs and get them handled in the next patch, this is another
> one I missed.

If I'm reading this correctly you're saying you can't just say:

<SSO ignoreNoPassive="true">SAML2</SSO>

you have to build out an old-school SessionInitiator instead.

%%  Christopher A. Bongaarts   %%  cab at          %%
%%  OIT - Identity Management  %%  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list