Shibboleth Idp does not persist URL hash fragments across a login redirect.
Peter Schober
peter.schober at univie.ac.at
Thu Apr 14 10:04:56 EDT 2016
* Nate Klingenstein <ndk at sudonym.me> [2016-04-13 18:16]:
> You could probably use this. I’ve changed the metadata to remove
> the DiscoveryService DS element and added a init:RequestInitiator
> TestShib element.
Thanks!
So to close this off (and with unsurprising results for a JavaScript
application running in the browser):
Using lazy sessions (checking for, initializing and potentially
terminating sessions yourself, using the Shib SP's documented
endpoints) applications relying on fragment identifiers should work
fine, e.g.:
https://sp.testshib.org/Shibboleth.sso/TestShib?target=https%3A%2F%2Fsp.testshib.org%2Ftesting%2Fsample.jsp%23foo
After the redirect and POST back and redirect to the resource you'll
still have the fragment identifer on the URL.
Using active protection (i.e., enforcing ACS from the web server) this
won't work as the fragment identifiers are not sent to the server from
your web browser, so the server and its components (including the
Shibboleth SP, or SimpleSAMLphp, or anything else doing just SAML
here) cannot preserve the fragment across redirects by itself -- the
application would have to play an active role here.
-peter
More information about the users
mailing list