Shibboleth Idp does not persist URL hash fragments across a login redirect.

Peter Schober peter.schober at
Thu Apr 14 10:04:56 EDT 2016

* Nate Klingenstein <ndk at> [2016-04-13 18:16]:
> You could probably use this.  I’ve changed the metadata to remove
> the DiscoveryService DS element and added a init:RequestInitiator
> TestShib element.


So to close this off (and with unsurprising results for a JavaScript
application running in the browser):

Using lazy sessions (checking for, initializing and potentially
terminating sessions yourself, using the Shib SP's documented
endpoints) applications relying on fragment identifiers should work
fine, e.g.:
After the redirect and POST back and redirect to the resource you'll
still have the fragment identifer on the URL.

Using active protection (i.e., enforcing ACS from the web server) this
won't work as the fragment identifiers are not sent to the server from
your web browser, so the server and its components (including the
Shibboleth SP, or SimpleSAMLphp, or anything else doing just SAML
here) cannot preserve the fragment across redirects by itself -- the
application would have to play an active role here.


More information about the users mailing list