IdPUnsolicitedSSO + relayState
Lalith Jayaweera
ljayaweera at gmail.com
Sun Oct 8 22:30:24 EDT 2017
Hi,
We got IdP 3.3. with CAS plugin
We got existing IdP intiated URLs as below
https://myidp.com/idp/profile/SAML2/Unsolicited/SSO?providerId=https://vendor.com/cgi-bin/?p_subject=myAccount
<https://idpweb1.vu.edu.au/idp/profile/SAML2/Unsolicited/SSO?providerId=https://askvu.vu.edu.au/cgi-bin/askvu.cfg/php/admin/sso_launch.php?p_subject=Account.Login&target=https://askvu.vu.edu.au/AgentWeb/>
Then I changed it to below
https://myidp.com/idp/profile/SAML2/Unsolicited/SSO?providerId=https://vendor.com/cgi-bin/?p_subject=myAccount&target=https://vendortarget.com/AgentWeb/
<https://idpweb1.vu.edu.au/idp/profile/SAML2/Unsolicited/SSO?providerId=https://askvu.vu.edu.au/cgi-bin/askvu.cfg/php/admin/sso_launch.php?p_subject=Account.Login&target=https://askvu.vu.edu.au/AgentWeb/>
however when I it initially redirect to CAS for the authentication, I am
able to see the Service param with enitityId URL, however target param was
missing on the querystring, so I had doubts.....
but when I further checked the final response......
I am able to see the RelayState along with the SAMLResponse as shown
below.....
I kind of tend to believe IdP has done what it supposed to do, even though
the relay state was not appearing in the query string but somehow
maintained in the IdP
Please let me know above understanding is correct
*POST
**RelayState*: https://vendortarget.com/AgentWeb/
<https://idpweb1.vu.edu.au/idp/profile/SAML2/Unsolicited/SSO?providerId=https://askvu.vu.edu.au/cgi-bin/askvu.cfg/php/admin/sso_launch.php?p_subject=Account.Login&target=https://askvu.vu.edu.au/AgentWeb/>*SAMLResponse*:
PD94bWwgdmVyc2lvbj0iMS4......
On Thu, Sep 28, 2017 at 6:46 PM, Peter Schober <peter.schober at univie.ac.at>
wrote:
> * Lalith Jayaweera <ljayaweera at gmail.com> [2017-09-28 09:16]:
> > For one of our IdP initiated SPs, there is a request to have RelayState
> as
> > a specific URL [...]
> > https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUnsolicitedSSO
> > can I safely assume, it is all about setting 'target' param in the
> > relyingparty xml
>
> Fyi, unless you're still using IDPv2 that's not the right
> documentation, for IDPv3 it's here:
> https://wiki.shibboleth.net/confluence/display/IDP30/
> UnsolicitedSSOConfiguration
>
> And the documented parameters are for query strings (i.e., request
> parameters) for HTTP GET requests sent to the IDP:
>
> target (optional)
> Corresponds to RelayState in the SAML 2.0 protocol, but can be
> omitted.
>
> So you'd set 'providerId' to the (URL-encoded) entityID of the SP and
> 'target' to the URL you want to end up with at the SP (or the opaque
> RelayState value the SP wants you to use).
>
> You don't have to change any configuration files in order to use the
> above interface.
>
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171009/d6396e2b/attachment.html>
More information about the users
mailing list