Destination sent in URL to avoid stale sessions?

Peter Schober peter.schober at
Mon May 11 09:09:54 EDT 2015

* David McIntosh <David.McIntosh at> [2015-05-11 14:42]:
> Looking at CAS... I noticed it passes along the destination in the URL:
> ?
> I was curious if there was something similar for Shibboleth?  And if not..
> was there reasoning for not implementing it?
> Basically, something that would allow users to bookmark the Shib login page
> and be able to initiate login from there next time...

For SP-initiated flows SAML 2 requires an authentication request from
the SP to the IDP, and that may contain certain constraints and
requests from the SP, it may be signed by the SP, etc.

Obviously if you want people to (be able to) bookmark the IDP login
page you can't do that. The way things are you probably wouldn't
easily be able to through in an IDP-initated request (posting an
unsolicited SAML response to some unsuspecting SP).

For any real IDP sending users accessing a bookmark of the IDP's login
page to some specific SP won't fly, as there's a chance of
1/(number-of-SPs-known-to-IDP) that that'll be the "desired" SP.

> otherwise we need to always have a landing page for them to
> bookmark... with a click here to login link.

Jfyi, for Univie's IDP we put a SAML SP (with lazy sessions) on / of
the IDP's webserver, with a login button (literrally, a button that
said "login"). We encouraged people to bookmark that page for security
reasons (instead of entering your credentials at any site you're being
redirect to, that looks like your institution's), and also to avoid
them bookmarking the wrong page.
After successfully authenticating at the IDP people ended up back at
the / of the webserver, now with a Shib SP session, and were then
informed of accessing their desired SPs now. (In the beginning there
was a handful of popular campus SPs listed there, but I think that's
now long gone from there, too.)
So it wouldn't do anything useful, it just was a place to send people
to who insisted on having a place to be sent to. Whether starting at
"the IDP" from a bookmark (i.e., known good source) really lowers the
risk of getting phishing 10 mins later is up for anyone's guess.

Later on folks from the propaganda department didn't want to promote
bookmarking the "IDP's start page" anymore (which was more of "the
SP's start page", really), for reasons unkown to me, and all of the
surrounding text (modulo "close the browser") was removed.

You can (and should) also trap such requests (ending up at the IDP
with no context) in the IDP (login.jsp in v2) and generate an
approppriate HTML page, telling them what to do, how to avoid that
error, etc.  So basically that /is/ your "landing page" already: they
will end up there when bookmarking e.g. /idp/Authn/UserPassword and
you can trap that mistake and put something useful there, including
triggering SSO at a specific SP by linking to it's request-initiator

More information about the users mailing list