Shibboleth Idp does not persist URL hash fragments across a login redirect.

Jorj Bauer jorj at temple.edu
Tue Apr 12 12:14:55 EDT 2016 

TL;DR: on the face of it, this must be an application problem and not a 
Shibboleth problem.

The client never transmits fragments to the SP, so the SP is powerless 
to include any information about the fragment.

Take a look at the packets with HTTPLiveHeaders, which will show you 
what the SP has to work with.

For example, if I go to http://jorj.org/blog/#test, this is what's sent:

	GET /blog/ HTTP/1.1
	Host: jorj.org
	Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
	Accept-Encoding: gzip, deflate, sdch
	Accept-Language: en-US,en;q=0.8
	Upgrade-Insecure-Requests: 1
	User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/49.0.2623.87 Safari/537.36

The server is completely unaware of the fragment.

But I have no idea what the OP's Angular app is doing.

There are ways that Angular can preserve the fragment during 
authentication (cf. https://github.com/auth0/auth0-angular) and maybe 
there's an interaction problem with something like that and Shibboleth. 
But if there is, someone would have to spell out in great detail exactly 
what's going wrong and where.

-- Jorj



On 04/12/2016 11:39 AM, Waldbieser, Carl wrote:
>
> I think the point is just that the OP wants the user to wind back up at the full URL (including the fragment) after authenticating.
> Could something like the "target" parameter [1] be used at the SP to force the redirect after authentication to end up at a complete URL?
>
> Thanks,
> Carl Waldbieser
> ITS Identity Management
> Lafayette College
>
> [1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessionCreationParameters
>
> ----- Original Message -----
> From: "Peter Schober" <peter.schober at univie.ac.at>
> To: users at shibboleth.net
> Sent: Tuesday, April 12, 2016 11:00:53 AM
> Subject: Re: Shibboleth Idp does not persist URL hash fragments across a login redirect.
>
> * Rainer Hoerbe <rainer at hoerbe.at> [2016-04-12 16:06]:
>> Shouldn’t the SP store the full URL including the fragment part in the relaystate cookie?
>
> Look at the server logs, the HTTP User Agent never transmits the
> fragment identifier, as I said before in the Wikipedia example.
> -peter
>

More information about the users mailing list