[FORGED] Concur Application: adding custom elements to shib IdP SAML response

Reid Watson reid.watson at auckland.ac.nz
Thu May 4 17:06:06 EDT 2017

Hi Pete,  

You make some good point's here but each one these workarounds requires the vendor to update the SP config, It looks like the vendor implemented this standard around 2014 and haven’t changed since, so either the customers are ignoring this requirement or updating the code to support the requirement.. 

I was hoping that someone in the shibboleth community had meet these requirement's and could provide some advice… 

If I don’t get traction with this email thread over the next few days I will talk to the vendor about an attribute (What makes my life easy ) 

Thank you for your input 



> On 5/05/2017, at 7:51 AM, Peter Schober <peter.schober at univie.ac.at> wrote:
> * Reid Watson <reid.watson at auckland.ac.nz> [2017-05-04 21:10]:
>> In 2014 a post was created stating “ adding custom elements to shib IdP SAML response"  
>> http://shibboleth.net/pipermail/users/2014-December/018467.html
>> Basic Overview "Adding an URL to the SAML response so the vendor can
>> redirect to an error page for unauthorised users”
> The SAML 2.0 Metadata spec allows populating a "errorURL" XML
> attribute in role descriptors. So you could add that to your IDP's
> Metadata and have the SP read it from there (assuming the SP can
> consume SAML Metadata; otherwise just give them the URL to use out of
> band).
> Other than that: If you want to send a URL to the SP, why not send it
> in an attribute statement and have the SP grab it from there?
> The SP will need to dig through the SAML anyway to grab it from
> /somewhere/ so it might as well be an attribute, no?
> -peter
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list