Setting IdP login page locale based on some AuthnRequest data

Peter Schober peter.schober at
Tue May 13 10:26:05 EDT 2014

* Paweł Pogoda <paw.pogoda at> [2014-05-13 16:15]:
> Is it possible to set different locale for IdP login page, based on
> some information sent in AuthnRequest?

Probably, provided you don't care about interopability.

> In standard IdP configuration (using external login handler) login page
> take locale from request - browser settings.

Well, the login page of your ExternalAuthn login handler does what you
want it to to, it's your code.

> I'v tried to change SP configuration to make auth request via POST instead
> of redirect and modified bindingTemplate.html (add additional hidden field
> with locale value) - but this information is lost on IdP before it reach my
> code in LoginServlet.
> I read something about authnRequest extensions, but don't know how to
> prepare such request on SP side. (I need to be able to incorporate in it
> some dynamic element <Locale>)
> In SP documentation I found some entry about <samlp:AuthnRequest> incorporated
> inside sessionIinitiator but I don't know if it's possible to add there
> custom XML tags with dynamic value.

Unless you sign the authentication requests (and there are not many
reasons to do that, the default is not to sign), you can just simply
create any authn request yourself, programmatically and as dynamic as
you want it to be.

I can't help with the IDP side, but it seems there are two aspects to it:
Getting at the extension, and passing it to your ExternalAuthn login
handler. As for the latter I don't know but would be sceptical whether
that interface (the method provided) supports the passing of arbitrary
other data to the external authn code, you'd have to look at the code.

> Also I think about some solution using JSONP to retrieve in IdP
> login page locale from SP protected site - but it seems to be not
> that way how it should be handled (additional request)

If that means you're trying to get some data from a resource that is
actively protected by the webserver + Shib SP, the only reply you'll
get is a redirect to the IDP (assuming the Redirect binding for authn
requests). So that would be expected. Which in turn probably means
that I don't understand what you want to do.

More information about the users mailing list