Returning to original target after NoPassive "error"
Christopher Bongaarts
cab at umn.edu
Wed Nov 21 15:44:09 EST 2012
On 11/20/2012 5:26 PM, Cantor, Scott wrote:
> On 11/20/12 5:28 PM, "Christopher Bongaarts" <cab at umn.edu> wrote:
>
>> When using isPassive, if you use a SessionInitiator with a target URL
>> (e.g. /Shibboleth.sso/Login?target=...) it works if the login succeeds
>> (i.e. the user has already authenticated and SSO kicks in). If it
>> fails, the redirectErrors URL is invoked, but I didn't see the target
>> URL show up anywhere.
>
> The code is supposed to be turning RelayState back into the URL before it
> passes along the error, so the RelayState parameter in the redirect is
> supposed to have the URL in it. If not, file a bug, I'll see if I can
> reproduce.
I see it now (actually comes over as RelayState). I documented it on
the NativeSPErrors wiki page, and noticed it was already in the example
there.
> The other trick is that I added an ignoreNoPassive option that lets it
> detect that status code from the IdP and just pass control back to the
> resource, no error.
That could make things much easier!
> That unforunately is one of the few special settings that I added to the
> old <AssertionConsumerService> elements from the pre-2.4 days. I didn't
> have a good way to carry those forward but I've been trying to find all of
> them in the docs and get them handled in the next patch, this is another
> one I missed.
If I'm reading this correctly you're saying you can't just say:
<SSO ignoreNoPassive="true">SAML2</SSO>
you have to build out an old-school SessionInitiator instead.
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list