Capturing SAML Response sent by IDP

Peter Schober peter.schober at
Tue May 17 19:21:38 EDT 2016

* Ram, Budh <budh.ram at> [2016-05-18 01:08]:
> Ok got it. All I need to do is fetch the authenticated email address
> sent by IDP so that I can take further decision in my application
> (authorization related) and redirect the user to appropriate
> location.
> How and from where can I get it?

Documentation Home (Wiki) -> Configure -> SP: Access Attributes Programmatically

> if I understood correctly, my application URL will change
> from https://host:port/ to https://host:port/Shibboleth.sso/Login
> for my end users after SSO implementation?

No. Nothing will change, especially not your the URL your application
runs at. Your application runs at https://hostname:port/ and it will
keep running there.

*Either* you initiate SSO yourself -- a method sometimes called "lazy
sessions" or "passive protection" -- (programmatically, by generating
HTML link targets or by generating HTTP "Location" headers) using the
/Shibboleth.sso/Login handler. In that case the handler would be
visible briefly in the HTTP User Agent (though you could point to your
own code, say, /start-sso and that in turn redirects to
/Shibboleth.sso/Login with all the required parameters.)

*Or* you configure Shibboleth with active protection, so that the Shib
SP itself intercepts requests to protected resources and initates SSO,
freeing you to do that. (At the cost of having to statically configure
up front what resources on your server should be protected that way.)

You can also do both at the same time, of course.

More information about the users mailing list